[pkg-gnupg-maint] Bug#846953: Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Dec 5 16:43:55 UTC 2016 

Control: reassign 846953 gnupg-agent
Control: retitle 846953 gnupg-agent cannot deal with extremely large passphrase-encrypted keys
Control: forwarded 846953 https://bugs.gnupg.org/gnupg/issue2857

On Mon 2016-12-05 11:24:08 -0500, Daniel Kahn Gillmor wrote:
> on to the rest of it...
>
> do you have
> ~/.gnupg/private-keys-v1.d/DFE35C37A3C37A72BEE31A2E55252BA2A1EB0A2C.key
> ?
>
> is it (in)appropriately large compared to the other, smaller secret key
> material?
>
> (that path is derived from --with-keyrip, fwiw)
>
> can you try turning up the logging for gpg-agent (log-file and
> debug-level in ~/.gnupg/gpg-agent.conf, followed by restarting the
> agent) and see if it reports anything differently?
>
> Also, how did you generate such a large key?  gpg usually limits key
> generation to sane lengths.


OK, i'm now able to replicate the problem by making such a large key and
trying to use it with gpg-agent.  the key works fine as long as it has
no passphrase attached, but once i add a passphrase and try to use it,
gpg-agent crashes with:

2016-12-05 11:30:11 gpg-agent[24311] Fatal: out of core in secure memory while allocating 640 bytes
2016-12-05 11:30:11 gpg-agent[24311] socket file has been removed - shutting down

It'd be better to fail gracefully instead.

I'm attaching an encryption-capable 10240-bit RSA secret key (in OpenPGP
transferable secret key format, with passphrase "abc123") for use by
anyone who wants to test.  In a new GNUPGHOME, do:

    gpg --batch --yes --import test-hugekey.key
    echo test | gpg -r 861A97D02D4EE690A125DCC156CC9789743D4A89 --encrypt --armor --trust-model=always --batch --yes --output data.gpg
    gpg --decrypt data.gpg

you'll note that the agent dies when doing that :/

I'm reassigning and retitling the bug to gnupg-agent, since that seems
to be where the problem lies.

I also noticed that upstream's https://bugs.gnupg.org/gnupg/issue2857 is
quite similar, so i'm marking this as "forwarded" there.

     --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-hugekey.key
Type: application/pgp-keys
Size: 8133 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161205/b04458df/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161205/b04458df/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list