terraform-provider-pass icon indicating copy to clipboard operation
terraform-provider-pass copied to clipboard

Published 20 hours ago verified publisher icon camptocamp

Failed to decrypt with gnupg 2.2.4

Open sherzberg opened this issue 6 years ago • 6 comments

I don't think this is an issue with this terraform provider, but I opened a ticket here first because it is easily reproducible with a simple terraform config. Mainly wanted to drop it here to see if anyone else has run into this issue.

Given a sufficiently large set of pass secrets to refresh, we get failed to decrypt errors on plans. This only seems to happen on > 2.1 gnupg. We have tried several version of terraform and gnupg, but our testing seems to point to gnupg > 2.1.

Here is some terraform that will replicate the behavior.

provider "pass" {
  refresh_store = false
}

data "pass_password" "dummy" {
  path = "dummy/dummy-${count.index + 1}"

  count = "100"
}

We consisitently get something like this:

Error: Error refreshing state: 1 error(s) occurred:

* data.pass_password.dummy: 23 error(s) occurred:

* data.pass_password.dummy[46]: data.pass_password.dummy.46: failed to read password at dummy/dummy-47: Failed to decrypt
* data.pass_password.dummy[12]: data.pass_password.dummy.12: failed to read password at dummy/dummy-13: Failed to decrypt
<redacted more errors>

Software versions:

gpg (GnuPG) 2.2.4
Terraform v0.11.7
terraform-provider-pass 1.0.1

sherzberg avatar May 03 '18 18:05 sherzberg

This will quickly become a more common issue as the latest Fedora and Ubuntu will likely be using these newer versions, though perhaps it will get patched on the gnupg side soon.

dragon788 avatar May 11 '18 01:05 dragon788

This appears to have a potential fix in a newer libgcrypt versions, but I'm not sure how those interact with the pass/gopass implementations.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882985

dragon788 avatar Jul 02 '18 20:07 dragon788

This is weird, I'm on Debian sid with gpg 2.2.8 and I don't have any issue...

mcanevet avatar Jul 03 '18 06:07 mcanevet

@sherzberg Tried to enable auto expand of secmem?

echo "auto-expand-secmem 0x30000" >> $GNUPGHOME/gpg-agent.conf

wsandin avatar Jul 17 '18 13:07 wsandin

I seem to be having this problem on a regular basis. I am running Fedora 28 with the following versions:

gnupg2 2.2.8 Terraform v0.11.7 terraform-provider-pass 1.1.0

@wsandin, I have tried the auto expand, but it does not seem to make any difference. Thank you for the suggestion.

xsnrg avatar Aug 27 '18 16:08 xsnrg

@wsandin sorry for the delay. I'm back on this now since I have just move to a new laptop. The suggestion you gave did not seem to help. Any other suggestions?

sherzberg avatar Oct 02 '18 17:10 sherzberg