4

I'm using gpg 2.2.20 to encrypt plain text password files using my PGP key on Ubuntu as well as OSX (both have the same PGP key). I've got a single encrypted file that won't decrypt in Ubuntu but it will decrypt in OSX. I've also got a bunch of files that decrypt fine in both.

Here's what I'm running (and the entire verbose output on linux):

$ gpg --verbose -o bad.txt --decrypt bad.gpg 
gpg: public key is 7XXXXXXXXXXXXXXX
gpg: using subkey 7XXXXXXXXXXXXXXX instead of primary key 5XXXXXXXXXXXXXXX

And here's the output of the same command in OSX:

gpg: Note: RFC4880bis features are enabled.
gpg: public key is 7XXXXXXXXXXXXXXX
gpg: using subkey 7XXXXXXXXXXXXXXX instead of primary key 5XXXXXXXXXXXXXXX
gpg: encrypted with rsa4096 key, ID 7XXXXXXXXXXXXXXX, created 2022-01-23
      "My Name <[email protected]>"
gpg: AES256.OCB encrypted data
gpg: original file name='FNnyaS-bad.txt'

On OSX the command also outputs the decrypted contents into bad.txt which isn't working in Ubuntu.

I've noticed a couple things:

  1. OSX gpg outputs this message: gpg: Note: RFC4880bis features are enabled. which could be related.
  2. OSX gpg is version 2.3.4 which is newer than Ubuntu gpg which is 2.2.20.

Can anyone explain what's happening here? It's strange that even in verbose mode the logs just end with no error. I can't seem to install a newer version of gpg on Ubuntu (at least with apt). Do I just need to be more careful about mixing gpg versions?

Improve this question
1
  • 1
    According to dev.gnupg.org/source/gnupg/browse/master/NEWS OCB (and EAX) was added in 2.3.0, so it won't be supported in 2.20.anything -- and according to packages.ubuntu.com even not-yet-final jammy (22.04) will only have gnupg 2.2.27 (but does have openssl 3.0.1!). This might use a new packet type the older version(s) can't even decode (rather than just an algo code they could skip); you might try --list-packets on both versions to see. Commented Apr 1, 2022 at 3:04

1 Answer 1

Reset to default
8

I've spent good half of the day trying to figure out this error. As it first started to fail without errors on gopass.

What I've managed to find out is that the Ubuntu is able to encode message to macos and macos is able to decode it. When it does it reports: gpg: AES256.CFB encrypted data

While when the same file is encoded on macos during decoding gpg outputs gpg: AES256.OCB encrypted data

So @dave_thompson_085 had a good guess.

Solution (update to answer above)

TLDR: Disable AEAD in your key prefs by running gpg --edit-key ... and then setpref SHA512 SHA384 SHA256 SHA224 SHA1 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed then y then save. Then reencrypt your messages.

I've went to the bottom of this issue. CFB is not an AEAD algorithm it just indicate what cipher block was used. AEAD defines a cider block and a way to authenticate associated plain text like package headers etc. It is a faster alternative to MDC - Modification Detection Code.

GPG has no option to disable AEAD and force MDC if AEAD is enabled in your Key preferences, and it is set so by default when you generate a key with new gpg. The only way to fix the issue is to edit key preferences to remove any AEAD algorithms.

How to edit key pref to make it compatible with gpg 2.2.x

Let's first make a small test to see that the AEAD is being used:

$ [email protected]
$ echo test | gpg --encrypt --recipient $KEY | gpg --verbose --decrypt
...
gpg: AES256.OCB encrypted data
gpg: original file name=''
test

As you can see the OCB is being used. Let's now edit the key preferences. You can show your current preferences with showpref

$ gpg --edit-key $KEY

gpg> showpref
[ultimate] (1). Piotr Czapla <[email protected]>
     Cipher: AES256, AES192, AES, 3DES
     AEAD: OCB
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, AEAD, Keyserver no-modify

The tweak the following command to match your prefs but disable AHEAD. It will ask you for confirmation before changing the prefs. In may case this list did the trick: setpref SHA512 SHA384 SHA256 SHA224 SHA1 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

Once you have your just confirm change and save your key.

gpg> setpref SHA512 SHA384 SHA256 SHA224 SHA1 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

Set preference list to:
     Cipher: AES256, AES192, AES, 3DES
     AEAD:
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y

sec  ed25519/285CE99FAA64E280
     created: 2022-07-20  expires: 2025-07-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/C2C95918A535E298
     created: 2022-07-20  expires: 2025-07-19  usage: E
ssb  ed25519/CDEBF13E9DE11878
     created: 2022-07-21  expires: 2027-07-20  usage: A
[ultimate] (1). Piotr Czapla (api key used to decrypt gopass on less secure instances) <[email protected]>

gpg> save

Then test that aead is not being used:

$ echo test | gpg  --encrypt  --recipient $KEY | gpg --verbose --decrypt
...
gpg: AES256.CFB encrypted data
gpg: original file name=''
test

And observe how the default CFB is being selected.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.