[pass] gpg: decryption failed: No secret key

Remi Bruggeman remi at remisan.be
Wed Aug 31 10:09:43 CEST 2016 

Hey David,

Thanks for your quick response.
I believe the problem is that the private keys are on a FSFE smart card.
GPG is able to access the smartcard, GPG2 gives problems:
remi at dimac:~/bkr$ gpg2 --card-edit

gpg: OpenPGP card not available: No SmartCard daemon

gpg/card> list

gpg: OpenPGP card not available: No SmartCard daemon

gpg/card> q
remi at dimac:~/bkr$ gpg --card-edit

gpg: detected reader `Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070000000000000) 00 00'
Application ID ...: D2760000000102010005000000000000
Version ..........: 2.1
Manufacturer .....: ZeitControl
[...]
-----------
I have attempted to decrypt the password again using both GPG and GPG2: It is clear GPG2 cannot find the private keys on the smart card:
pass email/test
gpg: decryption failed: No secret key
remi at dimac:~$ gpg --decrypt < '.password-store/email/test.gpg'
gpg: detected reader `Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070000000000000) 00 00'

Please enter the PIN
gpg: encrypted with 2048-bit RSA key, ID DDxxxxxx, created 2016-07-03
      "Remi Bruggeman (xxxx) <remi at xxxx.be>"
]G2%9|;+LM[G}:mg2v+TuA13ZCYQP~$l
remi at dimac:~$ gpg2 --decrypt < '.password-store/email/test.gpg'
gpg: encrypted with 2048-bit RSA key, ID DDxxxxxx, created 2016-07-03
      "Remi Bruggeman (xxxx) <remi at xxxx.be>"
gpg: public key decryption failed: No SmartCard daemon
gpg: decryption failed: No secret key
-----------------
I'm now going to start finding out how I can get GPG2 to work with the card.


Best regards

Remi




----- Original Message -----
From: "David Dahlberg" <david.dahlberg at fkie.fraunhofer.de>
To: "password-store" <password-store at lists.zx2c4.com>
Sent: Wednesday, 31 August, 2016 09:09:37
Subject: Re: [pass] gpg: decryption failed: No secret key

Am Mittwoch, den 31.08.2016, 08:24 +0200 schrieb Remi Bruggeman:

> ## Decrypting outside pass works:
> gpg --decrypt < '.password-store/email/anon.com.gpg'
[..]
> ## Decrypting pass does not work:
> me at deb:~$ pass email/anonymousspeech.com

Plenty of people had this problem, so I am answering once again to the
list ... for the archives.

The likely problem that you encounter here is not one of pass, but of
gpg2. Pass uses gpg2 in favour of gpg, if it finds it.

This is the problem:

Gpg2 deprecated md5 and other old stuff a while ago (last year?).
Unfortunately, WK seems to have it done in manor that does not only
impact keys and files that are actually using the old algorithms, but
just having some old PGP2-style keys somewhere in your keyring seems be
enough do let gpg2 struggle.

Why can you decode by hand?

Because you were using gpg, not gpg2. Be aware, that gpg also deprecated
those algorithms very recently, so this change may hit your distribution
sooner or later.

What can you do?

1. Backup your keyring to a safe location.
2. Export the keys that you need with gpg.
3. Create a new keyring and import keys with gpg2.

Cheers

	David
_______________________________________________
Password-Store mailing list
Password-Store at lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/password-store

More information about the Password-Store mailing list