Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg: decryption failed: No secret key #92

Closed
ghost opened this issue Sep 7, 2015 · 54 comments
Closed

gpg: decryption failed: No secret key #92

ghost opened this issue Sep 7, 2015 · 54 comments

Comments

@ghost
Copy link

ghost commented Sep 7, 2015

I just installed Qtpass. It correctly sees all my previous accounts but I can't see their contents because of the following red error:

gpg: decryption failed: No secret key

It also doesn't ask me for the master password.

I tried changing settings in Configuration > Programs from "native git/gpg" to "use pass" but Qtpass always returns me the same error.

I'm also able to see my gpg secret key with the following command:

gpg --list-secret-keys
@wgroenewold
Copy link

Which options did you set for your GPG keys? @dennisdegreef has a great article about setting keys in GPG: http://www.dennisdegreef.net/2015/07/yubikey-neo-with-pgp-subkeys/

@dennisdegreef
Copy link
Contributor

@fturco Could it be that your terminal is using a custom $GPGHOME environment variable?

@ghost
Copy link
Author

ghost commented Sep 9, 2015

The following command returns nothing:

$ echo $GPGHOME

@ghost
Copy link
Author

ghost commented Sep 9, 2015

My knowledge of cryptography and GnuPG is quite limited. I don't know how to show options for GPG keys, but the following command output may be interesting:

$ gpg --edit-key XXXXXXXX
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/XXXXXXXX
     created: 2013-11-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/YYYYYYYY
     created: 2013-11-01  expires: never       usage: E   
[ultimate] (1). Francesco Turco <fturco@fastmail.fm>

@tristan-k
Copy link

I'm struggling with the same issue.

@dennisdegreef
Copy link
Contributor

@fturco @tristan-k What operating system are you running? May be related? (wild guess)

@tristan-k
Copy link

I'm using Ubuntu 15.04 64bit.

$ uname -a Linux Ubuntu 3.19.6 #1 SMP Wed Apr 29 11:04:21 MDT 2015 x86_64 x86_64 x86_64 GNU/Linux

@tristan-k
Copy link

I just tried to use my password-store with just pass and I'm getting the same error. I guess it must be related to my gpg-key then, but I dont have a clue. EDIT: Or maybe not, see this

@annejan
Copy link
Member

annejan commented Sep 29, 2015

Are you using Gnome?

It might be the Gnome Keyring https://github.com/IJHack/qtpass/blob/master/FAQ.md

@annejan
Copy link
Member

annejan commented Sep 29, 2015

Is gpg or gpg2 set in the [programs] tab in [config] ?

Can you try 'native' with the gpg2 executable set?

@tristan-k
Copy link

I do use Gnome Keyring but I disabled the autostart with X-GNOME-Autostart-enabled=false in ~/.config/autostart/gnome-keyring-gpg.desktop. I dont know to disable Gnome Keyring in Ubuntu without getting massive issues.

gpg2 is already set in the config. I also tried Use pass without success.

@annejan
Copy link
Member

annejan commented Sep 29, 2015

With a bit of luck I can try these things out tonight on a clean Ubuntu VM.

Will keep you updated.

@tristan-k
Copy link

Thanks! I appreciate your effort.

@ghost
Copy link
Author

ghost commented Sep 29, 2015

@dennisdegreef: I use the Parabola GNU/Linux-libre distribution, a derivative of Arch Linux.

@ghost
Copy link
Author

ghost commented Sep 29, 2015

@annejan: I get the same error message both under GNOME and under "pure" Openbox.

@annejan annejan added the bug label Oct 2, 2015
@skrzepto
Copy link

I'm getting the same issue with Fedora 22

@annejan
Copy link
Member

annejan commented Nov 24, 2015

Working on it, seems to mostly be a gpg2 or wrong settings for pinentry issue.
But we do have to adres this issue!

@skrzepto
Copy link

one thing I noticed is that when I decrypt the password file directly using gpg

gpg -d test.gpg

it prompts me for my pass pharase to unlock and successfully shows me whats inside. But when i try again using pass Email/test it fails again

$ pass -c Email/test 
gpg: decryption failed: No secret key

@annejan
Copy link
Member

annejan commented Nov 25, 2015

The passphrase dialog, is that a graphical or text-based one?

Unfortunately we can't "wrap" the cli passphrase dialog. Currently qtpass only works with a graphical "pinentry" dialog.

@skrzepto
Copy link

its the text-based one

@annejan
Copy link
Member

annejan commented Nov 25, 2015

There is currently no sane way to use that in combination with qtpass.

Implementing such a feature would probably introduce a plethora of security issues.

I'll see if there is a way to (via environment variables or such) force the use of a graphical version when using qtpass.
Or in the least warn about incompatibility.

@foamrider
Copy link

It must be a problem with pinentry then? I get the same error on a Mac OS X El Capitan. I'm able to decrypt using gpg2 -d test.gpg, but in qtpass:

gpg-agent[17546]: command get_passphrase failed: Inappropriate ioctl for device
gpg: problem with the agent: Inappropriate ioctl for device
gpg: decryption failed: No secret key

It never ask me for the passphrase, shouldn't it to this?

@annejan
Copy link
Member

annejan commented Feb 2, 2016

Where did you get the GnuPG from?
homebrew/macports or https://gpgtools.org/ ?

We cannot use the non-graphical pinentry . .
Since wrapping that would expose your passphrase/pin to QtPass, which is very bad from a separation of concerns PoV. Related: #156

GPG has graphical ways to ask for pinentry, which are the preferred way to do this in a graphical environment, however I haven't invested time to try out alternative GPG2 builds on OSX.

@foamrider
Copy link

Ah, ok. Installing from gpgtools.org solved my problem. Thanks.

@annejan annejan closed this as completed Feb 2, 2016
@annejan
Copy link
Member

annejan commented Feb 15, 2016

Via mail:

Looks like a compatibility issue has arisen between gpg and gpg2 where
gpg-generated keys don't make it into the secure keyring in gpg2.

When I ran gpg -K I saw both keys; when I ran gpg2 -K only the original
key was listed.

A workaround would be to aliased gpg to gpg2 in your .bashrc

@mashdot
Copy link

mashdot commented Feb 26, 2016

Recently had pass "break" on me, and this thread is all I could find so far. Running qtpass returns nothing.

~$ pass -c test
gpg: decryption failed: No secret key

But directly using gpg -d .password-store/test.gpg works fine and I can decrypt.

Linux tzara 4.3.0-1-amd64 #1 SMP Debian 4.3.5-1 (2016-02-06) x86_64 GNU/Linux

@annejan
Copy link
Member

annejan commented Feb 26, 2016

Could you try the same with gpg2?

It seems the gpg without 2 on the end has some issues with pass..

@annejan
Copy link
Member

annejan commented Feb 26, 2016

You could try switching to gpg in the "programs" tab in config but we also use the batch features of gpg2 like pass..
Perhaps using qtpass with your patched pass might also work.

I don't think implementing gpg1 compatibility will be a thing I'm likely to add in the forseeable future though.

@mashdot
Copy link

mashdot commented Feb 26, 2016

Well running qtpass doesn't do anything. I mean nothing, no program, no error, nada. Tried removing and reinstalling but no joy.

@annejan
Copy link
Member

annejan commented Feb 26, 2016

Ahh, that's a whole different issue than.

Could be related to the "single instance" stuff which will soon be fixed.
Or (if set) the hide to systray or menu bar feature.

The application when called just quits and doean't show any error message or anything?

You could try removing the config from ~/.config/IJhack/qtpass (or something close to that, on mobile atm)

If all else fails I'll have a look to see if I can reproduce this error tonight

@mashdot
Copy link

mashdot commented Feb 26, 2016

OK thanks, fiddled around ~/.config/IJHack/QtPass.conf and no joy. Tried to remove purge everything and reinstall and still nothing.

@krismatthews
Copy link

I ran into this problem as well, and it turned out to be self inflicted. My ~/.gnupg/gpg-agent.conf specified a pinentry-program that was not installed on my system. :)

@gmp216
Copy link

gmp216 commented Oct 21, 2016

I ran into the same problem with pass on the command line (not Qtpass) on Linux -- gpg would decrypt my passwords but the pass command would not. Turns out pass was calling gpg2 and gpg2 stores keys differently than gpg.

Simple fix is to import your secret key into gpg2. Now both gpg and gpg2 can read my secret key and all is well:

$ gpg --export [ID] > public.key
$ gpg --export-secret-key [ID] > private.key
$ gpg2 --import public.key
$ gpg2 --import private.key
$ rm public.key private.key

@alaindanet
Copy link

@gmp216 Thank you so much for sharing, I had the same problem with pass and your solution worked for me as well.
However, there is just a little typo mistake in your answer which made your fix failed in my first try.

You have just missed the s of keys in the export-secret-keys gpg argument.
The corrected line:
gpg --export-secret-keys [ID] > private.key

@muminoff
Copy link

muminoff commented Mar 1, 2017

I got it worked by just killing gpg-agent process.

@gloomytrousers
Copy link

Better commands, which avoid use of temporary files:

gpg --export [ID] | gpg2 --import
gpg --export-secret-keys [ID] | gpg2 --import

@Droogans
Copy link

@muminoff I tried killing gpg-agent like this, but wasn't able to wait long enough for it to complete (about 2 minutes).

I just restarted my machine and it was working again.

@ad-m
Copy link

ad-m commented Jan 15, 2018

Better command, which avoid copy&paste key ID:

gpg --export $(cat ~/.password-store/.gpg-id) | gpg2 --import
gpg --export-secret-keys $(cat ~/.password-store/.gpg-id) | gpg2 --import

Thanks @gmp216 to share you fix. It help me too!

@samhh
Copy link

samhh commented May 5, 2018

Tearing my hair out a bit here, struggling with the same issue. Sorry that this isn't really the right place but it's somehow become the most informative page on the net about this issue with GPG...! 😞

I'm on Arch with GPG version 2.2.6 (both gpg and gpg2 commands) and latest pass. As of a week ago I started getting this decryption failed error, interspersed with the occasional timeout error and the occasional success. It also causes my terminals (tried multiple) to fail to exit without me killing them. I've tried re-exporting/importing the keys (pub + priv), and I've tried killing gpg-agent by various different means, all of this to no success. I even tried reinstalling gnupg, gpgme, pinentry, and pass packages, which was challenging given that Pacman has a dependency on a couple of them! I have restarted multiple times as well. All to no avail. Most curiously, this happens not just with pass but also with plain gpg decryption (gpg -d <file>).

Anyone have any other ideas or steps I can take to debug? Cheers!

Edit: Turns out an update to I presume gpg caused it to no longer automatically know which pinentry application to use. Setting it specifically fixes it, e.g. (at ~/.gnupg/gpg-agent.conf - create it if it's not already there):

pinentry-program /usr/bin/pinentry-gtk-2

Replace that with another equivalent that works for you; this is what it was defaulting to before for me.

@otremblay
Copy link

I suffer from the same, running on Arch too. This is not a pass problem, it's a gpg problem, apparently.

@kenji21
Copy link
Contributor

kenji21 commented Jun 20, 2018

same problem on macOS, without using QtPass (can be reproduced when asking multiple password in parallel (from a python script or shell for example))

@guodong000
Copy link

@kenji21 use ps aux | grep gpg and find a gpg-agent daemon process. Kill it and retry.

@kenji21
Copy link
Contributor

kenji21 commented Aug 20, 2018

I can confirm that killing the agent did fix the issue

@horkko
Copy link

horkko commented Sep 12, 2018

I can confirm that killing the agent did fix the issue

Hi,
On Mac OSX using qtpass, I've had the same issue "gpg: decryption failed". Killing gpg-agent and running pass accout/foobar on command line work, also in QtPass.

@metanerd
Copy link

For me decrypting works both with gpg and gpg2 and still fails with pass.

@annejan
Copy link
Member

annejan commented Oct 23, 2018

Hi, @metanerd what OS / Distro etc are you running?

And is it failing with pass in the commandline too or only with QtPass using pass as backend?

@metanerd
Copy link

Yeah, sorry to bother you, I think it is another error. I was just using pass and not QtPass.

@annejan
Copy link
Member

annejan commented Oct 23, 2018

No worries . .

@gentios
Copy link

gentios commented May 8, 2019

For me none of the above solutions provided did work.
I found the solution in #179 where I had to install https://gpgtools.org/, and it worked

@donglixp
Copy link

I ran into the same problem with pass on the command line (not Qtpass) on Linux -- gpg would decrypt my passwords but the pass command would not. Turns out pass was calling gpg2 and gpg2 stores keys differently than gpg.

Simple fix is to import your secret key into gpg2. Now both gpg and gpg2 can read my secret key and all is well:

$ gpg --export [ID] > public.key
$ gpg --export-secret-key [ID] > private.key
$ gpg2 --import public.key
$ gpg2 --import private.key
$ rm public.key private.key

The method works for me.

@RussellBrand
Copy link

RussellBrand commented Sep 2, 2020

I hit this problem on MacOS after recovering from a machine crash.

Removing the socket files from ~/.gnupg/ solving it for me

S.gpg-agent:
S.gpg-agent.browser:
S.gpg-agent.extra:
S.gpg-agent.ssh:

@fuelen
Copy link

fuelen commented Mar 6, 2023

I didn't have ~/.gnupg/gpg-agent.conf file, so I created it with the following line:

pinentry-program /usr/bin/pinentry-qt

and qtpass shows me a GUI prompt now 🎉 , as CLI was used by default, as I understand.

@totalsouldisorder
Copy link

I didn't have ~/.gnupg/gpg-agent.conf file, so I created it with the following line:

pinentry-program /usr/bin/pinentry-qt

and qtpass shows me a GUI prompt now tada , as CLI was used by default, as I understand.

This worked for me, thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests