search

Benjamin-Loison / termux-packages

A package build system for Termux.
https://termux.dev
Other
0 stars 0 forks source link

[Bug]: Update gpg and its components (which?) to not suffer of `gpg: ecdh failed in gcry_cipher_decrypt: Checksum error` #2

Open Benjamin-Loison opened 8 months ago

Benjamin-Loison commented 8 months ago

Problem description

$ git clone gcrypt::git@codeberg.org:Benjamin_Loison/CENSORED_REPOSITORY.git
Cloning into 'CENSORED_REPOSITORY'...
gcrypt: Decrypting manifest
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: Signature made 2023-11-23 19:04:18 +0100 CET
gpg:                using EDDSA key DF502D8E559475CC0E8889264257C6D7843DE78B
gpg: Good signature from "Benjamin Loison <CENSORED_EMAIL_0>" [unknown]
gpg:                 aka "Benjamin Loison <CENSORED_EMAIL_1>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF50 2D8E 5594 75CC 0E88  8926 4257 C6D7 843D E78B
gcrypt: Failed to decrypt manifest!

https://en.wikipedia.org/wiki/GNU_Privacy_Guard

Stable: 2.4.3 LTS: 2.2.41

Only interesting DuckDuckGo and Google results for ``:

$ gpg --list-keys
[keyboxd]
---------
pub   ed25519 2023-07-26 [SC]
      DF502D8E559475CC0E8889264257C6D7843DE78B
uid           [ unknown] Benjamin Loison <CENSORED_EMAIL_0>
uid           [ unknown] Benjamin Loison <CENSORED_EMAIL_1>
sub   cv25519 2023-07-26 [E]

So the issue is because there are multiple emails or because it is ed25519 but as I do not have this issue on my Linux Mint Framework, I guess its the software version that is the issue:

On Termux:

$ gpg --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2-unknown
...

Home: /data/data/com.termux/files/home/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

On my laptop:

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
...

Home: /home/benjamin/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

With:

$ gpg --list-keys
[keyboxd]
---------
pub   ed25519 2023-11-18 [SC]
      CDA8B68AE97F5FF546ED34F00134B33F185504E8
uid           [ultimate] CENSORED_NAME
sub   cv25519 2023-11-18 [E]

it works fine, but it was generated on Termux, while the first was generated on my laptop, possibly partially with Thunderbird, so the emails seem to be to blame.

Note that below test was using my ~ git, hence it is maybe due to a not identical email? No, because when I add git config user.email "CENSORED" before git commit, I still have the same issue.

With a Thunderbird generated key with a single email have the same error on my laptop:

$ git push origin master
gcrypt: Decrypting manifest
gpg: selecting card failed: No such device
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: Signature made Sat 25 Nov 2023 03:09:25 AM CET
gpg:                using EDDSA key 26AE2C46177CB117A22230FA0D09DB3B921E705B
gpg: Good signature from "Benjamin Loison <CENSORED>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 26AE 2C46 177C B117 A222  30FA 0D09 DB3B 921E 705B
gcrypt: Failed to decrypt manifest!

Laptop:

REPOSITORY=test/; rm -Rf $REPOSITORY; mkdir $REPOSITORY && cd $REPOSITORY && git init && git config gpg.format openpgp && git remote add origin gcrypt::git@codeberg.org:Benjamin_Loison/Test.git && git config remote.origin.gcrypt-participants "26AE2C46177CB117A22230FA0D09DB3B921E705B" && git config --global user.signingkey "26AE2C46177CB117A22230FA0D09DB3B921E705B" && echo '# Test' > README.md && git add README.md && git commit -m 'Add `README.md`' && git push origin master
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint:   git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint:   git branch -m <name>
Initialized empty Git repository in /home/benjamin/Desktop/test/.git/
[master (root-commit) 4ea02ee] Add `README.md`
 1 file changed, 1 insertion(+)
 create mode 100644 README.md
gcrypt: Decrypting manifest
gpg: selecting card failed: No such device
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: Signature made Sat 25 Nov 2023 03:20:04 AM CET
gpg:                using EDDSA key 26AE2C46177CB117A22230FA0D09DB3B921E705B
gpg: Good signature from "Benjamin Loison <CENSORED>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 26AE 2C46 177C B117 A222  30FA 0D09 DB3B 921E 705B
gcrypt: Failed to decrypt manifest!

When I add ; echo '# Test updated' > README.md && git commit -m 'UpdateREADME.md' -a && git push origin master I still have the issue on the second commit. Note that I have the same error when I push but it seems to get uploaded to Codeberg anyway.

Concerning the upload I do not seem to have the error on a production repository:

$ git push
gcrypt: Decrypting manifest
gpg: selecting card failed: No such device
gpg: Signature made Thu 23 Nov 2023 07:04:18 PM CET
gpg:                using EDDSA key DF502D8E559475CC0E8889264257C6D7843DE78B
gpg: Good signature from "Benjamin Loison <CENSORED_EMAIL_0>" [unknown]
gpg:                 aka "Benjamin Loison <CENSORED_EMAIL_1>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF50 2D8E 5594 75CC 0E88  8926 4257 C6D7 843D E78B
gcrypt: Due to a longstanding bug, this push implicitly has --force.
gcrypt: Consider explicitly passing --force, and setting
gcrypt: gcrypt's require-explicit-force-push git config key.
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Compressing objects: 100% (4/4), done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
gcrypt: Encrypting to:  -R 4257C6D7843DE78B -R 0134B33F185504E8
gcrypt: Requesting manifest signature
remote: . Processing 1 references
remote: Processed 1 references in total
To codeberg.org:Benjamin_Loison/CENSORED_REPOSITORY.git
   d3f4994..faa43fd  master -> master

Termux:

$ git clone gcrypt::git@codeberg.org:Benjamin_Loison/Test.git
Cloning into 'Test'...
gcrypt: Decrypting manifest
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: public key decryption failed: Checksum error
gpg: decryption failed: Checksum error
gcrypt: Failed to decrypt manifest!

Maybe it is just because to some extent ECC are not yet broadly supported.

Let us use RSA 4096 instead, as I am not able to git pull anymore on production git and I start to be fed up of this issue.

Related to #1.

Also seems unable to remove passphrase from private key on Termux, using this method.

What steps will reproduce the bug?

Not read

What is the expected behavior?

No response

System information

termux-info: