Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encryption failed due to invalid key error. #117

Open
ghost opened this issue Feb 7, 2019 · 4 comments
Open

Encryption failed due to invalid key error. #117

ghost opened this issue Feb 7, 2019 · 4 comments

Comments

@ghost
Copy link

ghost commented Feb 7, 2019

This error appears for every single UID:

"Encryption failed due to invalid key error. User may not have an encryption subkey or it may be expired."

Debug mode reveals that --no-default-keyring is passed both in the initial extraction and in the signing command:

DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --always-trust --armor -r ...

I thought that because my private key is on a different keyring than the keyring supplied as a parameter, it's being omitted from the temporary keyring and thus out of reach. So I ran:

gpg --export-secret-keys "$my_signing_key" | gpg --no-default-keyring --keyring keyring_to_sign.gpg --import

It imported okay but that did not change anything. I also have no problems clear-signing something using the staging key that pius makes:

gpg --no-default-keyring --keyring /tmp/pius_keyring.gpg --local-user "$my_signing_key" --clearsign "$arbitrary_file"

version

$ pius --version
pius 2.2.3
@jaymzh
Copy link
Owner

jaymzh commented Feb 7, 2019

Unless something has changed recently, the only thing that is requires i the public key you want to sign with has to be on the keyring. This is a - I think - I reasonable assumption, since, if you were at the KSP, your key should be on the keyring. GPG will automatically pull a private key from the secret keyring that matches the signing key you're using - assuming the public key for said public key is available.

Also - I need to do a release... there's a ton of fixes on master that aren't in 2.2.3. :)

@jaymzh
Copy link
Owner

jaymzh commented Feb 7, 2019

Oh, slight correction to the above. In the default mode, since it sends a mime-encrypted email, you also need to have the public key of your encryption key on that keyring, if they are different (they aren't for most people). If you have separate subkeys for this and I can imagine a world in which you get yourself into trouble this way. The encryption step probably does not need the --no-default-keyring option...

@ghost
Copy link
Author

ghost commented Feb 15, 2019

Now I'm running with version 2.2.7 and get the same error. I have also confirmed that my pubkey is on the same keyring passed to pius along with the other attendees by running:

$ gpg --keyring signing_party_keyring.gpg --no-default-keyring --list-public-keys "$my_fpr"

I'm not doing anything non-trivial AFAIK, just trying to sign using an ordinary key that is both for signing and encryption.

The ultimate command that's failing is:

$ pius -A -s "$my_fpr" -r  signing_party_keyring.gpg -m '[email protected]' --encrypt-outfiles --out-dir="$HOME"/gpg_sigs/ --no-mail-tls -H 127.0.0.1 -P 25

(edit)
I see the problem. The default-key and encrypt-to parameters were configured in gpg.conf to a different key than the signing party key. So for me the correction is obviously to change those to match the signing party key. For you there may be no change.. or perhaps pius could be made more robust by detecting this issue and erroring with a helpful error message. It's probably worthwhile to do this, because it's likely a common problem considering people going to keysigning parties are often transitioning to a new key and those parameters would easily be pointing to an old key.

@jaymzh
Copy link
Owner

jaymzh commented Feb 15, 2019

ah, thanks for tracking that down. I will try to figure out how to raise this to the user!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant