Unable to decrypt GPG messages on Nano X

[atishnazir]

Description

I've successfully generated a PGP key pair on a Nano X. When attempting to decrypt messages I receive the follow error message:

gpg: encrypted with 256-bit ECDH key, ID CB3AC90B3C099F4B, created 2019-07-19
      "key@example.com"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key

Performing the exact same steps on a Nano S work perfectly, I have also initialised the Nano S with the same seed and start-time, and been able to decrypt message used above.

Software Versions

Component	Nano X	Nano S
Firmware	1.2.4-1	1.5.5
SSH/PGP Agent	0.0.5	0.0.5

Component	Host
GnuPG	2.2.12
ledger-agent	0.9.0
libagent	0.13.1

Test Case

#!/bin/bash

EMAIL="key@example.com"
SW_BACKED=${PWD}/testcase
HW_BACKED=${PWD}/testcase/ledger

# clean up from previous runs (deliberate lack of "t")
pkill -e ledger-gpg-agen
rm -rf "${SW_BACKED}"

# create key
mkdir --mode=700 "${SW_BACKED}"

env "GNUPGHOME=${HW_BACKED}" \
    ledger-gpg init  "${EMAIL}"

env "GNUPGHOME=${HW_BACKED}" gpg --export --armor "${EMAIL}" |
    env "GNUPGHOME=${SW_BACKED}" gpg --import

# create a message
echo Hola Mundo |
    env "GNUPGHOME=${SW_BACKED}" gpg --encrypt --armor --trust-model always --recipient "${EMAIL}" |
    env "GNUPGHOME=${HW_BACKED}" gpg --decrypt

[feux07]

Hi,

I am also getting same error with Ledger Nano S after upgrading 1.6.0.

[bereska]

same here, any solution yet?

[hakandurmaz]

same here

[bakibodur]

Could you please check this issue asap?

[hakangurrr]

I have this problem with Ledger Nano S firmware version 1.6.0

[uayturk]

Same problem here for Ledger Nano X. Please check. Thanks and regards.

[talhaaltinkaya]

Any developer can handle this issue? Some devs are proposing solution below. Check up upon please.

https://github.com/romanz/trezor-agent/issues/314#issuecomment-578928635

"Closing for now - since IIUC the problem is with the Ledger firmware (seems to return invalid elliptic curve key)"

[juan-sebastian]

Hello any updates in this subject, I can't update the firmware in my Nano S until this is fix, I use the GPG app to sign and ssh authentication every day

gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: encrypted with 256-bit ECDH key, ID XXXXXXXXXXXXX, created 2019-05-22
      "key@example.com"
gpg: public key decryption failed: Checksum error
gpg: decryption failed: No secret key

I also have the same issue with my Ledger Nano X

[Pedro-vk]

Ledger team could explain if they are going to continue supporting this module or not. In any case, it is a problem for a lot of people. In my case, I can't decrypt some files.

[bereska]

@Pedro-vk @atishnazir same here, not sure this has been addressed by the devs

[riordant]

Same problem. There is a new release of this repo in releases ( 0.0.6 ) but it hasn't been added to Ledger Live yet. Custom installation doesn't work for me.

[feux07]

Today new version (0.0.6) is released. Still doesn't work with same problem.

[feux07]

I am trying reach them from twitter. You can support if you want https://twitter.com/feux07/status/1280825305914134530

[Saltari]

Sorry for the delay guys, version 0.0.7 deployed on nano x 1.2.4-1, 1.2.4-2 and nano s 1.6.0 solves the problem

[atishnazir]

@Saltari Thanks for your work, the PR fix looked straightforward.

Unable to verify your changes on the Nano-X as Ledger Live claims SSH agent 0.0.5 to be the latest. Do you have an idea when its catalogue will be updated?

[Saltari]

@atishnazir shall be good now, the app was only available on our test provider (developper feature of the live) but it was now put to prod

[atishnazir]

@atishnazir shall be good now, the app was only available on our test provider (developper feature of the live) but it was now put to prod

I noticed the update on Prod from 0.0.5 to 0.0.6 last night along with a firmware update to 1.2.4-2. However at the point of writing prod only has 0.0.6, so missing relevant commit.

[Saltari]

you're absolutely right, I moved the 0.0.7 app from test to prod only for nanos 1.6.0 and nanox 1.2.4-1, i forgot nanox 1.2.4-2, should be fixed now, sorry about that !

[atishnazir]

you're absolutely right, I moved the 0.0.7 app from test to prod only for nanos 1.6.0 and nanox 1.2.4-1, i forgot nanox 1.2.4-2, should be fixed now, sorry about that !

Verified with my test case on a Nano X. Will verify on Nano S later once happy I can safely use Nano X for want I'm currently using my Nano S for. Will close ticket then.

Thanks.

[atishnazir]

Verified to be fixed on:

Component	Nano X	Nano S
Firmware	1.2.4-2	1.6.0
SSH/PGP Agent	0.0.7	0.0.7

[bereska]

@atishnazir, thank you. It works great on nano x 1.2.4.-2 with 0.0.7 now

[bereska]

@Saltari thank you for the great job on SSH/PGP any timeline for OpenPGP full-featured setup guide on nano s/x?

[juan-sebastian]

Hi @Saltari,

Thanks for your work but I'm sad to report that the decryption still don't work when you use a ed25519/cv25519 key this are my results with the Ledger nano S and nano X.

$ gpg -d secret.txt.gpg
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: encrypted with 256-bit ECDH key, ID XXXXXXXXXX, created 2019-05-22
      "Juan Sebastian Pena Rodriguez <email@example.com>"
gpg: public key decryption failed: Checksum error
gpg: decryption failed: No secret key

$ gpg -d secret.txt.gpg
gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
gpg: encrypted with 256-bit ECDH key, ID XXXXXXXXXX, created 2019-05-22
      "Juan Sebastian Pena Rodriguez <email@example.com>"
gpg: public key decryption failed: Checksum error
gpg: decryption failed: No secret key

So as you can see in both cases I'm not able to decrypt the message.

But when I use my regular Ledger Nano S with the old firmware everything work as expected as you can see below

$ gpg -d secret.txt.gpg
gpg: encrypted with 256-bit ECDH key, ID XXXXXXXXXX, created 2019-05-22
      "Juan Sebastian Pena Rodriguez <email@example.com>"
this is a secret

[juan-sebastian]

Well sorry for the noice I was restoring the key incorrectly everything works as expected 🙈