GPGME::Error::DecryptFailed presumably for message without integrity protection
Closed this issue · 4 comments
When I tried to decrypt a message from an external service I got GPGME::Error::DecryptFailed
.
This error can mean "cipher was encrypted for a key that's not available currently" but this is not the case, because other messages with the same recipient are decrypted, so the private key is not the cause.
There is a code to reproduce:
crypto = GPGME::Crypto.new
crypto.decrypt(Base64.urlsafe_decode64('hQGMA_I9BkjDoykHAQwAsMAsYoGjMHF2p14Jwv-pwsEDpsnzHZU3NgGl2pQ2ugwhP-j7XbLcQAGBDevYDRc8Mz3Kj9FoMFWEyWY4me1NqIUp6LYJ5sCVYA3f8xidf0ulsqeUN64i3IgKCWVs_m5wadpCMLAauR0gqctHJWqHVpg-v_gNEzw_3saHLGnyDzA5Lvu8c5qrn0dZcfpIzv91e4Z9iWX_0_6EZWTTiNedHGGBixYui24Wj1B_gq7yCYn8EByQfniTVzp17bykEkB-FdyIQ6MLFxecUS0MwPYgLks4En0X5oV8BMCZekBQUkbSK1_sP7c-t_F43mOunZ_oUqVNJ8mGTpNeL7tVUY-vhflSd12fysqbzs6riMzw4MpKd-6mPRVzFD_J1gRr6X1TI-RW4FAHtHW_ScLN_Ilr5Msn1D4WJO8zyhZ-7kecQb_YKdhbKAHfv8jTGFpnyhIu0LfC0FRlJyZ5WgLzu5Odus_Sj4jYGs4HA1FN898BpNFMO8oQu8Idn9n1SSiiERN4ycDVFPkoqnKe59YmDJAfqcg7BRcbnfMPaTP6BeMlDaxXr2CRQSi-5yXxsV6ZENGUhRw3ZWlHN02sW8ZtXygHRXIy_vTED2f-dZJaTnMPwe7IfyojAT7meWBylTZFLre8KA8IRAfsC8zxjBarrAWtdT7SRDpkd6c84ZcP4Mah9H0bMpYTGs65yW0sksQk-h2wG6UjfXL_pry65o8HiDCTVDfy7Gk9y56LL1j_v-vkgYyaikRmoCkjEaZuqakmyzNBsGvJa3Yhgt-94hT4hTnSg-5gDfGagR1e-6goHim9V-UM8sEY4vYFa3fwIOnV-c3fNIzU1kKrw6Y9_LYy0lm0kSD0zSuVp1MgZUxo6WY6fz5dcFbuBZrzIgL4T2isdnKM4mJgi5gFaLXQKOFkiN2I0o1LAiyGxNcGGp8902e8pjRQ6CLH9CLWO12erv9B69iuL9zM4NggQ-kPWMwztDACRv3xXm083WVtusHuQFyTV5tFcI-amQ3mm203fzDF6TEEHyCUDMsXLeG34yb-JwkbVyKMnVjmvxmt'))
=> #<GPGME::Crypto:0x000055dfdeefb578 @default_options={}>
Traceback (most recent call last):
1: from (irb):31
GPGME::Error::DecryptFailed (GPGME::Error::DecryptFailed)
The private key which can decrypt this message (created especially for this issue) in this gist
Then I saved it to a file:
File.open("/tmp/message.pgp", "wb") do |f|
f.write(Base64.urlsafe_decode64('hQGMA_I9BkjDoykHAQwAsMAsYoGjMHF2p14Jwv-pwsEDpsnzHZU3NgGl2pQ2ugwhP-j7XbLcQAGBDevYDRc8Mz3Kj9FoMFWEyWY4me1NqIUp6LYJ5sCVYA3f8xidf0ulsqeUN64i3IgKCWVs_m5wadpCMLAauR0gqctHJWqHVpg-v_gNEzw_3saHLGnyDzA5Lvu8c5qrn0dZcfpIzv91e4Z9iWX_0_6EZWTTiNedHGGBixYui24Wj1B_gq7yCYn8EByQfniTVzp17bykEkB-FdyIQ6MLFxecUS0MwPYgLks4En0X5oV8BMCZekBQUkbSK1_sP7c-t_F43mOunZ_oUqVNJ8mGTpNeL7tVUY-vhflSd12fysqbzs6riMzw4MpKd-6mPRVzFD_J1gRr6X1TI-RW4FAHtHW_ScLN_Ilr5Msn1D4WJO8zyhZ-7kecQb_YKdhbKAHfv8jTGFpnyhIu0LfC0FRlJyZ5WgLzu5Odus_Sj4jYGs4HA1FN898BpNFMO8oQu8Idn9n1SSiiERN4ycDVFPkoqnKe59YmDJAfqcg7BRcbnfMPaTP6BeMlDaxXr2CRQSi-5yXxsV6ZENGUhRw3ZWlHN02sW8ZtXygHRXIy_vTED2f-dZJaTnMPwe7IfyojAT7meWBylTZFLre8KA8IRAfsC8zxjBarrAWtdT7SRDpkd6c84ZcP4Mah9H0bMpYTGs65yW0sksQk-h2wG6UjfXL_pry65o8HiDCTVDfy7Gk9y56LL1j_v-vkgYyaikRmoCkjEaZuqakmyzNBsGvJa3Yhgt-94hT4hTnSg-5gDfGagR1e-6goHim9V-UM8sEY4vYFa3fwIOnV-c3fNIzU1kKrw6Y9_LYy0lm0kSD0zSuVp1MgZUxo6WY6fz5dcFbuBZrzIgL4T2isdnKM4mJgi5gFaLXQKOFkiN2I0o1LAiyGxNcGGp8902e8pjRQ6CLH9CLWO12erv9B69iuL9zM4NggQ-kPWMwztDACRv3xXm083WVtusHuQFyTV5tFcI-amQ3mm203fzDF6TEEHyCUDMsXLeG34yb-JwkbVyKMnVjmvxmt'))
end
and tried to decrypt using gpg
:
$ gpg -d /tmp/message.pgp
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 3072-bit RSA key, ID F23D0648C3A32907, created 2021-03-04
"Test for ruby-gpgme issue <test@test.com>"
gpg: Note: sender requested "for-your-eyes-only"
{"message":"hello"}gpg: Signature made Thu 04 Mar 2021 09:39:17 PM EET
gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
likely that this message is legitimate. This is because back
then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!
So gpg
gives warnings about the absence of MDC (Modification Detection Code). And I can decrypt the message with --ignore-mdc-error
flag, so I'm sure that exactly MDC prevents me from decrypting with GPGME
.
Can anyone help me to figure out how to ignore the MDC error using GPGME
?
gpg version 2.2.19 (Ubuntu). but 2.2.27 has the same behavior.
@alnpetil the only workaround I found is saving to temp file and call system "gpg" and reading result from second file.
Same issue here, can gpgme provide an addtional option param to let us pass in this flag instead?