Open andybotting opened 10 years ago
jgmchan
commented
10 years ago As far as I understand GPG, you use the public key of the recipients to encrypt something, not with your secret key.
Your secret key is used to decrypt a message which someone else has encrypted with your public key.
Can you supply some more information about this problem you are having, I suspect it might be something to do with the public keys in your keyring.
gfa
commented
5 years ago Hello
I have exactly the same issue, I have 2 valid encryption subkeys in my GPG key (and 3 non-valid encryption subkeys). In order to use the 2 valid encryption subkeys and not the invalid ones I give the subkey ids followed by ! to gpg as recipient
$ gpg -e -r 0xSUBKEY_ID! < text
I've configured gpg_recipients_file and put both SUBKEY_IDs in the gpg_recipients_file
Looking at the debug log (GPGME_DEBUG=9), i can see that gpgme (or hiera-eyaml-gpg, I really don't know) first list all the keys associated with the recipient is passed
$ eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients '0x376920A4AE80E637!' 2>&1GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: enter: path=0x5623e664a050, path=/usr/bin/gpg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 0] = gpg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 1] = --batch
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 2] = --no-sk-comments
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 3] = --homedir
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 4] = /home/gfa/.gnupg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 5] = --status-fd
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 6] = 8
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 7] = --no-tty
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 8] = --charset
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[ 9] = utf8
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[10] = --enable-progress-filter
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[11] = --exit-on-status-write-error
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[12] = --display
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[13] = :0
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[14] = --ttyname
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[15] = /dev/pts/2
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[16] = --ttytype
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[17] = screen-256color
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[18] = --logger-fd
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[19] = 12
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[20] = --with-colons
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[21] = --list-keys
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[22] = --
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, argv[23] = 0x376920A4AE80E637!
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, fd[0] = 0x8
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, fd[1] = 0xa -> 0x1
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e664a050, fd[2] = 0xcthat resolves to the ID of my master key, which afterwards is used to encrypt the message
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: enter: path=0x5623e6860d00, path=/usr/bin/gpg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 0] = gpg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 1] = --enable-special-filenames
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 2] = --batch
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 3] = --no-sk-comments
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 4] = --homedir
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 5] = /home/gfa/.gnupg
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 6] = --status-fd
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 7] = 8
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 8] = --no-tty
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[ 9] = --charset
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[10] = utf8
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[11] = --enable-progress-filter
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[12] = --exit-on-status-write-error
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[13] = --display
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[14] = :0
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[15] = --ttyname
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[16] = /dev/pts/2
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[17] = --ttytype
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[18] = screen-256color
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[19] = --logger-fd
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[20] = 10
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[21] = --encrypt
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[22] = -r
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[23] = 1AE0322EB8F74717BDEABF1D44BB1BA79F6C6333
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[24] = --output
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[25] = -
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[26] = --
GPGME 2019-03-11 01:01:32 <0x70a8> _gpgme_io_spawn: check: path=0x5623e6860d00, argv[27] = -&13then it fails (fails in the sense is not encrypted with the key i want it to be encrypted) because gpg now chooses whatever subkey it wants from my key instead of the configured ones
Maybe instead of using the first key key_to_use should be equal to --gpg-recipients if they start with 0x ?
let me know if i can help testing or providing more information, thanks for the backend :)
EDIT: typo
I have two GPG secret keys in my keyring.
I think the wrong one is listed first, so any 'encrypt' operations result in this:
I'm running Ruby 1.8 (for Puppet 2.7.x compatibility) on Arch Linux, with the following gems installed: