vim-gnupg icon indicating copy to clipboard operation
vim-gnupg copied to clipboard

Published 20 hours ago verified publisher icon jamessan

Provide feedback on files with MDC protection

Open mortoray opened this issue 5 years ago • 9 comments

The plugin is unable to decrypt files in Ubuntu 18.04. It just get a Message could not be decrypted! (Press ENTER) error in vim. The same setup worked fine in Ubuntu 16.04.

I noticed that I have to use the Qt pinentry program now for gpg to work at all -- the TTY entry does not work anymore. It may be a defect that's appear in the GPG too, but I don't know how to test that.

mortoray avatar Sep 13 '18 20:09 mortoray

What version of the plugin are you using?

Are you using nvim or vim, and which version?

jamessan avatar Sep 13 '18 21:09 jamessan

I had problems, so I updated to the newest version from the repository here and tried again. (Last Change: 2018 Aug 06)

I'm using: VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Apr 10 2018 21:31:58) gpg (GnuPG) 2.2.4 pinentry-qt (pinentry) 1.1.0 Linux gnome-MS-7A94 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

mortoray avatar Sep 13 '18 21:09 mortoray

Perhaps useful:

  1. Run: vim some_file.gpg
  2. Prompted for password
  3. Decryption fails
  4. run: gpg -d some_file.gpg
  5. decryption works

That would at least confirm it did connect to the agent and get/store the correct password, I think. Rerunning vim some_file.gpg avoids the password entry (due to gpg-agent), and gets the same decryption error.

mortoray avatar Sep 13 '18 21:09 mortoray

  • Run vim --cmd 'let g:GPGDebugLevel=3' --cmd 'let g:GPGDebugLog="debug.txt"'
  • :edit some_file.gpg
  • Exit Vim and post the contents of debug.txt

jamessan avatar Sep 13 '18 23:09 jamessan 

GnuPG: >>>>>>>> Entering s:GPGInit(1)
GnuPG: gnupg.vim 2.7.0-dev
GnuPG: shellredirsave: >%s 2>&1
GnuPG: shellsave: /bin/sh
GnuPG: shelltempsave: 1
GnuPG: shell: /bin/sh
GnuPG: shellcmdflag: -c
GnuPG: shellxquote: 
GnuPG: shellredir: >%s 2>&1
GnuPG: stderrredirnull: 2>/dev/null
GnuPG: shell implementation: /bin/dash
GnuPG: command: gpg --trust-model always --version 2>/dev/null
GnuPG: rc: 0
GnuPG: output: gpg (GnuPG) 2.2.4^@libgcrypt 1.8.1^@Copyright (C) 2017 Free Software Foundation, Inc.^@License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>^@This is free software: you are free to change and redistribute it.^@There is NO WARRANTY, to the extent permitted by law.^@^@Home: /home/edA-qa/.gnupg^@Supported algorithms:^@Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA^@Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,^@        CAMELLIA128, CAMELLIA192, CAMELLIA256^@Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224^@Compression: Uncompressed, ZIP, ZLIB, BZIP2^@
GnuPG: public key algorithms: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
GnuPG: cipher algorithms: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
GnuPG: hashing algorithms: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
GnuPG: compression algorithms: Uncompressed, ZIP, ZLIB, BZIP2
GnuPG: <<<<<<<< Leaving s:GPGInit()
GnuPG: >>>>>>>> Entering s:GPGDecrypt(1)
GnuPG: command: gpg --trust-model always --use-agent --verbose --decrypt --list-only --dry-run --no-use-agent --logger-fd 1 '/projects/notes.txt.gpg' 2>/dev/null
GnuPG: rc: 0
GnuPG: output: gpg: CAST5 encrypted data^@gpg: encrypted with 1 passphrase^@
GnuPG: this file is symmetric encrypted
GnuPG: cipher-algo is CAST5
GnuPG: called BufReadPre autocommand for /projects/notes.txt
GnuPG: decrypting file
GnuPG: command: silent read ++edit !gpg --trust-model always --use-agent --quiet --decrypt '/projects/notes.txt.gpg' 2>/dev/null
GnuPG: rc: 2
GnuPG: <<<<<<<< Leaving s:GPGDecrypt()

mortoray avatar Sep 13 '18 23:09 mortoray

Just testing, gpg --trust-model always --use-agent --quiet --decrypt '/projects/notes.txt.gpg' 2>/dev/null decrypts the file, but it's return value is 2. I guess that's triggering the error.

Maybe: https://unix.stackexchange.com/questions/50541/what-does-gpg-error-code-2gpg-err-unknown-packet-mean

Checking further, without redirecting the error I get:

gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
     likely that this message is legitimate.  This is because back
     then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!

mortoray avatar Sep 13 '18 23:09 mortoray

I decrypted, then reencrypted the file and it works. I don't know what the integrity stuff is, but it's for sure the file was not created before the year 2003. In any case, this doesn't appear to be an issue with the plugin, but with GPG itself. Unless you want to add the --ignore-mdc-error to the command.

mortoray avatar Sep 13 '18 23:09 mortoray

Maybe it wasn't created by gpg, but some other tool that doesn't use MDC. GPG upstream explains the situation and how to detect this from the status output.

I'll track this with other error reporting improvements.

jamessan avatar Sep 14 '18 01:09 jamessan

Hi.

I came across this bug today migrating from 16.04 to 18.04. I added the line

cipher-algo AES256

to ~/.gnupg/options, and I could then get gpg to decrypt on the command line but still had the problem with vim and vim.gnupg:

shell returned 2
Message could not be decrypted.

By accident I found that if I pressed <control>C (^C) then the decrypted buffer WOULD come up in the vim buffer.

I then saved the file and re-encrypted it, and at this stage (presumably because of the cipher line ?) it is encrypted in a way which doesn't cause problems with vim.gnupg anymore.

p-phillips avatar Mar 31 '19 16:03 p-phillips