emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
* org-crypt broken on Ubuntu 18.04
@ 2018-06-13 17:24 Óscar Fuentes
  2018-06-13 19:22 ` Nicolas Goaziou
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 17:24 UTC (permalink / raw)
  To: emacs-orgmode

Hello.

Today I noticed that org-crypt is broken on my daily driver.

On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
dialog asks for the password, I type the password and then the
minibuffer shows

GPG error: "Decryption failed", ""

The complete error message on *Messages* is

epg--check-error-for-decrypt: GPG error: "Decryption failed", ""

This is a very recent problem. In dpkg.log I see:

2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1

2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1

I tried the latest org-mode (9.1.13) and Emacs from master branch but
the problem persists.

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/oscar/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
@ 2018-06-13 19:22 ` Nicolas Goaziou
  2018-06-13 20:11   ` Óscar Fuentes
  2018-06-20  2:05 ` Óscar Fuentes
  2018-07-26 11:57 ` Óscar Fuentes
  2 siblings, 1 reply; 10+ messages in thread
From: Nicolas Goaziou @ 2018-06-13 19:22 UTC (permalink / raw)
  To: Óscar Fuentes; +Cc: emacs-orgmode

Hello,

Óscar Fuentes <ofv@wanadoo.es> writes:

> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""

Could you provide an ECM?

Thank you.

Regards,

-- 
Nicolas Goaziou

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 19:22 ` Nicolas Goaziou
@ 2018-06-13 20:11   ` Óscar Fuentes
  2018-06-13 20:20     ` Thibault Polge
  0 siblings, 1 reply; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 20:11 UTC (permalink / raw)
  To: emacs-orgmode

Nicolas Goaziou <mail@nicolasgoaziou.fr> writes:

> Hello,
>
> Óscar Fuentes <ofv@wanadoo.es> writes:
>
>> Today I noticed that org-crypt is broken on my daily driver.
>>
>> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
>> dialog asks for the password, I type the password and then the
>> minibuffer shows
>>
>> GPG error: "Decryption failed", ""
>>
>> The complete error message on *Messages* is
>>
>> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> Could you provide an ECM?

What's an ECM?

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 20:11   ` Óscar Fuentes
@ 2018-06-13 20:20     ` Thibault Polge
  2018-06-13 23:12       ` Óscar Fuentes
  0 siblings, 1 reply; 10+ messages in thread
From: Thibault Polge @ 2018-06-13 20:20 UTC (permalink / raw)
  To: Óscar Fuentes; +Cc: emacs-orgmode

> What's an ECM?

French for Exemple complet minimal = Minimal Working Example (MWE)[1]

[1]: https://en.wikipedia.org/wiki/Minimal_Working_Example

--
Thibault

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 20:20     ` Thibault Polge
@ 2018-06-13 23:12       ` Óscar Fuentes
  2018-06-14  5:31         ` Jens Lechtenboerger
  2018-06-14 11:57         ` hymie!
  0 siblings, 2 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 23:12 UTC (permalink / raw)
  To: emacs-orgmode

Thibault Polge <thibault@thb.lt> writes:

>> What's an ECM?
>
> French for Exemple complet minimal = Minimal Working Example (MWE)[1]
>
> [1]: https://en.wikipedia.org/wiki/Minimal_Working_Example

Thanks.

While trying to create a demo file I noticed that decryption works fine
as long as the content was relatively new, while it fails for content
that was encrypted years ago.

I tried setting epg-gpg-program to "gpg" (it is "gpg2" by default) for
encrypting some tests but then decryption worked fine on those tests.

I need to look at org-decrypt-entry works and determine if the problem
is with that function or with epg.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 23:12       ` Óscar Fuentes
@ 2018-06-14  5:31         ` Jens Lechtenboerger
  2018-06-14 11:57         ` hymie!
  1 sibling, 0 replies; 10+ messages in thread
From: Jens Lechtenboerger @ 2018-06-14  5:31 UTC (permalink / raw)
  To: Óscar Fuentes; +Cc: emacs-orgmode

On 2018-06-14, Óscar Fuentes wrote:

> While trying to create a demo file I noticed that decryption works fine
> as long as the content was relatively new, while it fails for content
> that was encrypted years ago.
>
> I tried setting epg-gpg-program to "gpg" (it is "gpg2" by default) for
> encrypting some tests but then decryption worked fine on those tests.

Probably you encrypted without integrity protection, which was
always a bad idea but in view of EFAIL attacks has recently gained
lots of attention as Bad Thing.  Nowadays GnuPG returns a failure,
you can override that if you know what you are doing.

See there: https://dev.gnupg.org/T3714

Best wishes
Jens

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 23:12       ` Óscar Fuentes
  2018-06-14  5:31         ` Jens Lechtenboerger
@ 2018-06-14 11:57         ` hymie!
  1 sibling, 0 replies; 10+ messages in thread
From: hymie! @ 2018-06-14 11:57 UTC (permalink / raw)
  To: emacs-orgmode

In our last episode, the evil Dr. Lacto had captured our hero,
  Óscar Fuentes <ofv@wanadoo.es>, who said:

> While trying to create a demo file I noticed that decryption works fine
> as long as the content was relatively new, while it fails for content
> that was encrypted years ago.

"Years ago" ?  Sounds like maybe you lost the key?

Can you take the encrypted text, put it into its own file, and
use gpg to decrypt that?  If not, it should give you a more robust
verbose message.

--hymie!     http://lactose.homelinux.net/~hymie    hymie@lactose.homelinux.net

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
  2018-06-13 19:22 ` Nicolas Goaziou
@ 2018-06-20  2:05 ` Óscar Fuentes
  2018-07-26 11:57 ` Óscar Fuentes
  2 siblings, 0 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-20  2:05 UTC (permalink / raw)
  To: emacs-orgmode

Óscar Fuentes <ofv@wanadoo.es> writes:

> Hello.
>
> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> This is a very recent problem. In dpkg.log I see:
>
> 2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> 2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> I tried the latest org-mode (9.1.13) and Emacs from master branch but
> the problem persists.

Today I upgraded a Debian Testing machine which included gpg 2.2.8 and,
sure enough, now that machine also presents the same problem.

I'll try to debug the issue as soon as I have some spare time.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: org-crypt broken on Ubuntu 18.04
  2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
  2018-06-13 19:22 ` Nicolas Goaziou
  2018-06-20  2:05 ` Óscar Fuentes
@ 2018-07-26 11:57 ` Óscar Fuentes
  2018-07-26 22:12   ` do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04) Gregor Zattler
  2 siblings, 1 reply; 10+ messages in thread
From: Óscar Fuentes @ 2018-07-26 11:57 UTC (permalink / raw)
  To: emacs-orgmode

For the record: executing gpg2 from the command line is revealing:

gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
     likely that this message is legitimate.  This is because back
     then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!

The solution is to add `ignore-mdc-error' to ~/.gnupg/gpg.conf.

Óscar Fuentes <ofv@wanadoo.es> writes:

> Hello.
>
> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> This is a very recent problem. In dpkg.log I see:
>
> 2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> 2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> I tried the latest org-mode (9.1.13) and Emacs from master branch but
> the problem persists.
>
> $ gpg --version
> gpg (GnuPG) 2.2.4
> libgcrypt 1.8.1
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: /home/oscar/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>         CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2

^ permalink raw reply	[flat|nested] 10+ messages in thread

* do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04)
  2018-07-26 11:57 ` Óscar Fuentes
@ 2018-07-26 22:12   ` Gregor Zattler
  0 siblings, 0 replies; 10+ messages in thread
From: Gregor Zattler @ 2018-07-26 22:12 UTC (permalink / raw)
  To: emacs-orgmode

Hi Óscar,
* Óscar Fuentes <ofv@wanadoo.es> [2018-07-26; 13:57]:
> For the record: executing gpg2 from the command line is revealing:
>
> gpg: WARNING: message was not integrity protected
> gpg: Hint: If this message was created before the year 2003 it is
>      likely that this message is legitimate.  This is because back
>      then integrity protection was not widely used.
> gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
> gpg: decryption forced to fail!
>
> The solution is to add `ignore-mdc-error' to ~/.gnupg/gpg.conf.

I hope you'll do this only as a temporary meassure.  Your could
decrypt and re-encrypt the org-crypt parts in question iff you
are sure, they were encrypted years ago and their contents is ok.

But having this option in  ~/.gnupg/gpg.conf  otherwise weakens
the security of GnuPG usage considerably.

From the gpg man page:

     --ignore-mdc-error
          This option changes a  MDC integrity protection failure
          into a  warning.  This  can be useful  if a  message is
          partially corrupt, but  it is necessary to  get as much
          data as possible out  of the corrupt message.  However,
          be aware  that a MDC  protection failure may  also mean
          that the message was  tampered with intentionally by an
          attacker.

The usage scenario described in the first sentence is clearly a
one time thing.  Putting this option in gpg.conf ignores these
kind of errors for all future usage, for risks and side effects
see the second sentence.

Ciao; Gregor 

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2018-07-26 22:13 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
2018-06-13 19:22 ` Nicolas Goaziou
2018-06-13 20:11   ` Óscar Fuentes
2018-06-13 20:20     ` Thibault Polge
2018-06-13 23:12       ` Óscar Fuentes
2018-06-14  5:31         ` Jens Lechtenboerger
2018-06-14 11:57         ` hymie!
2018-06-20  2:05 ` Óscar Fuentes
2018-07-26 11:57 ` Óscar Fuentes
2018-07-26 22:12   ` do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04) Gregor Zattler

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).