Error: openpgp: invalid data: tag byte does not have MSB set

[justlooks]

when i use command on user manual , i get error ,why?

% gpg --list-secret-keys
/Users/Alex/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2017-08-23 [SC]
      BCC9A338D1F5990A21A8AA4213F326CBB263D868

%  helm package --sign --key 'helm signing key' --keyring /Users/Alex/.gnupg/pubring.kbx alpine
Successfully packaged chart and saved it to: /Users/Alex/Documents/FileZilla.app/alpine-0.1.0.tgz
Error: openpgp: invalid data: tag byte does not have MSB set

[justlooks]

% helm version
Client: &version.Version{SemVer:"v2.6.0", GitCommit:"5bc7c619f85d74702e810a8325e0a24f729aa11a", GitTreeState:"clean"}
Error: cannot connect to Tiller

$ gpg --version
gpg (GnuPG) 2.1.23
libgcrypt 1.8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/Alex/.gnupg
支持的算法：
公钥：RSA, ELG, DSA, ECDH, ECDSA, EDDSA
对称加密：IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
散列：SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
压缩：不压缩, ZIP, ZLIB, BZIP2

[bacongobbler]

ping @technosophos, any clue on this bug?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[jaredallard]

This appears to be broken due to the new GPG 2.1 version that removes secring.gpg, so if you're using the latest version of GPG it won't work at all.

[bacongobbler]

/remove-lifecycle stale

[jaredallard]

Attempting to verify a helm package with gpg 2.2.4 results in:

[debug] Created tunnel using local port: '65416'

[debug] SERVER: "127.0.0.1:65416"

[debug] Original chart version: ""
Error: failed to load keyring: open /Users/jaredallard/.gnupg/pubring.gpg: no such file or directory

Running ln -s ~/.gnupg/pubring.kbx ~/.gnupg/pubring.gpg results in:

[debug] Created tunnel using local port: '49500'

[debug] SERVER: "127.0.0.1:49500"

[debug] Original chart version: ""
Error: failed to load keyring: openpgp: invalid data: tag byte does not have MSB set

So, all of gpg related functions appear to be broken with gpg 2.1+

[lrvick]

Able to reproduce here too. Smartcard support was not working until gpg 2x and signing is totally broken in gpg 2x which in turn means smartcard signing with helm is not currently possible at all.

This is a major blocker that prevents usage of helm at two organizations I manage.

[lrvick@qatan kubernetes]$ helm version
Client: &version.Version{SemVer:"v2.9.0-rc3", GitCommit:"60abcdca41f544caaecb224acbfb92aee11e1f6e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.9.0-rc3", GitCommit:"60abcdca41f544caaecb224acbfb92aee11e1f6e", GitTreeState:"clean"}

[lrvick@qatan kubernetes]$ gpg --version
gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/lrvick/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[lrvick@qatan kubernetes]$ gpg --list-secret-keys
/home/lrvick/.gnupg/pubring.kbx
-------------------------------
sec>  rsa4096 2009-05-09 [SC] [expires: 2018-07-03]
      6B61ECD76088748C70590D55E90A401336C8AAA9
      Card serial no. = FFFE 87021724
uid           [ultimate] Lance R. Vick (Personal) <lance@lrvick.net>
uid           [ultimate] [jpeg image of size 6119]
uid           [ultimate] Lance R. Vick (Work) <lance@bitgo.com>
ssb#  rsa2048 2015-03-19 [S] [expires: 2018-05-29]
ssb#  rsa2048 2015-03-19 [E] [expires: 2018-05-29]
ssb#  rsa2048 2015-03-19 [A] [expires: 2018-05-29]
ssb>  rsa4096 2009-05-09 [E] [expires: 2018-07-03]
ssb>  rsa4096 2015-02-01 [A] [expires: 2018-07-03]
ssb>  rsa4096 2016-02-15 [S] [expires: 2018-07-03]

[lrvick@qatan kubernetes]$ helm package --sign --key 6B61ECD76088748C70590D55E90A401336C8AAA9 --keyring /home/lrvick/.gnupg/pubring.kbx test

Successfully packaged chart and saved it to: /home/lrvick/Sources/lrvick-infra/kubernetes/test-0.1.0.tgz
Error: openpgp: invalid data: tag byte does not have MSB set

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[technosophos]

Trying to hunt this down now

[technosophos]

Testing with older keyrings seems to work fine, so this does appear to be something caused by a newer GnuPG version. But I am still testing, so I may know more in a bit.

gpg (GnuPG) 2.1.21
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/technosophos/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[technosophos]

Okay, in the process of testing, it appears that the GnuPG keyring format has changed. This is totally allowed by the OpenPGP spec, which does not require that a keyring be in a particular format.

If I run gpg --export --outfile newkeyring.gpg and then load that new keyring, it works fine, because that puts the keys in the format described by section 4.2 of the OpenPGP spec.

The relevant GnuPG announcement: https://gnupg.org/faq/whats-new-in-2.1.html#keybox

Update: Use --export-secret-keys to export the secret keys (signing), or --export to export your public keys (verifying).

[technosophos]

After taking a long look at the code, I actually really like what GnuPG did... but I don't have time to implement an undocumented file format. So for now, I'm going to suggest that we export to the binary entity-list format and continue using that.

If anyone feels like a fun challenge, here's the code for the new file format. It would be awesome to have this as a stand-alone Go library.

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=kbx/keybox-file.c;h=046e3212304278c6232777b0a0c080656517ff5d;hb=refs/heads/master

[jaredallard]

I don't feel that this should be closed @technosophos. Converting from one format to the other isn't really a valid workaround and introduces differences between the two rings. Sure, the documentation is useful, but this is still an out of the box issues for most (if not all) Linux users.

[technosophos]

What do you suggest the fix is?

[jmataa]

FYI, I think there has been an openpgp issue raised here for the new format:
golang/go#29082

[technosophos]

I have it on my todo list to write a keybox library, but it's nowhere near a high priority for me. So if they make any progress I will be very, very happy.

[ghost]

I have got this error > Error: openpgp: invalid data: tag byte does not have MSB set

I able to solved it using the below steps
Execute: gpg --export-secret-keys >~/.gnupg/secring.gpg

Explanation: the GnuPG v2 store your secret keyring using a new format kbx on the default location ~/.gnupg/pubring.kbx. Please use the following command to convert your keyring to the legacy gpg format:

The output:
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/narendranathreddy/.gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded

and upon checking ~/.gnupg/secring.gpg is exist

we can use secring.gpg to sign the packages using below command
helm package --sign --key 'Narendranath Reddy' --keyring ~/.gnupg/secring.gpg sample-app

Output:
Successfully packaged chart and saved it to: /Volumes/REDLAB/Projects/books/chapter-5/sample-app-0.1.0.tgz

[4mig4]

I still have this problem, I do not think this issue should be closed at all until resolved.

[jedcunningham]

After hitting this trying to use a key on a smartcard (yubikey), I found that the Helm GnuPG plugin works as expected! It generates a provenience file and helm verify is happy too (if you have a GnuPG v1 keyring to run it against).

[vineetguptadev]

I just want to reiterate that this is still an issue and I am having a hard time fixing this.

echo "$HELM_KEY_PASSPHRASE" | gpg --batch --yes  --passphrase-fd 0 ~/.gnupg/secring.gpg
helm create mychart
helm package --sign --key 'bot' --keyring ~/.gnupg/secring.gpg mychart


gpg: encrypted with 1 passphrase
[35](https://github.com/vineetguptadev/runner-triggers/actions/runs/3960809195/jobs/6785442835#step:5:36)
Creating mychart
[36](https://github.com/vineetguptadev/runner-triggers/actions/runs/3960809195/jobs/6785442835#step:5:37)
Error: openpgp: invalid data: tag byte does not have MSB set
[37](https://github.com/vineetguptadev/runner-triggers/actions/runs/3960809195/jobs/6785442835#step:5:38)
Error: Process completed with exit code 1.

[Flannigan]

@vineetguptadev I was just able to resolve a similar error, albeit on the helm verify side, by converting my keyring to the old format as outlined in the current helm docs:

$ gpg --export >~/.gnupg/pubring.gpg
$ gpg --export-secret-keys >~/.gnupg/secring.gpg

Have you tried that and / or did it work?