Hi Ankit, Below is the response from GnuPG support, please let us know if this can provide us the specific Root Cause. Please reply to all and direct email to GnuPG Team if you have any questions for them. Thanks in advance.
Also, do not remove any of the participants of this email.
Hi Carlos--
Please reply in the original thread, to make it easier for people to
follow the discussion.
I've added some References: headers back in here so some mailers might
merge the threads, but this won't work for everyone.
Also, when sharing terminal transcripts, sending mail without
unnecessary line-wrapping will make them much easier for your readers to
interpret.
It looks like you're trying to sign the file (that's what the "-s" part
of "-se" means). For whatever reason, the signature itself is likely to
be what is failing, and not the encryption. If you drop the signatures
in your test (using -e instead of -se) do they all complete cleanly? To
be clear: I'm not saying you shouldn't sign at the same time as
encrypting, i'm trying to help you narrow down the cause of the problem.
I also see you fiddling with the ownership of ~/.gnupg/random_seed --
you really shouldn't need to do that, and ideally each user will control
their own random_seed automatically -- you shouldn't be sharing a gnupg
home directory between to different user accounts unless you absolutely
need to.
--dkg
(See attached file: signature.asc)
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
IBM
E-mail: cmore...@mx1.ibm.com Av. Constitución No.
444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey,
NL 64000
México
From: Ankit Bhardwaj5/India/IBM
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM@IBMMX
Cc: Ajay B Challa/India/IBM@IBMIN, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM@IBMMX, "Juan Carlos Garcia"
<juancarlos.gar...@ext.cemex.com>, Samuel Ramos
Javier/Mexico/IBM@IBMMX, "Samuel Mizrain Ramos Javier"
<samuelmizrain.ra...@ext.cemex.com>, Srinivas
Masetty/India/IBM@IBMIN
Date: 05/31/2016 10:46 AM
Subject: Re: Fw: GnuPG - Encryption process issues.
Hello Carlos
Please share below information with GPG team i think by seeing the results
of test performed by us on system they will able to give us the solution
We have tested below things in envirnoment
-> Userd Details used in this test
root
ehpadm
Permissions under user "root"
-> Directory Permission of root
drwx------ 2 root sapsys 4096 May 31 09:39 /home/root/.gnupg
-> Files Under /home/root/.gnupg
-rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg
-rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg
-r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf
-rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~
-rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg
-rw------- 1 root sapsys 11 Apr 28
08:44 .#lk200104a8.mxoccsapehpn2.8716480
-rw------- 1 root sapsys 11 Apr 28
08:53 .#lk2000c2c8.mxoccsapehpn2.11141460
-rw------- 1 root sapsys 11 Apr 28
12:00 .#lk200104b8.mxoccsapehpn2.8978598
-rw------- 1 root sapsys 11 Apr 29
08:57 .#lk2000c2c8.mxoccsapehpn2.12911042
-rw------- 1 root sapsys 11 May 2
11:32 .#lk200104b8.mxoccsapehpn2.10748294
-rw------- 1 root sapsys 11 May 2
19:34 .#lk200104b8.mxoccsapehpn2.7471568
-rw------- 1 root sapsys 11 May 2
22:23 .#lk2000c328.mxoccsapehpn2.12058746
-rw------- 1 root sapsys 11 May 2
23:46 .#lk200104b8.mxoccsapehpn2.6750230
-rw------- 1 root sapsys 11 May 3
10:28 .#lk200104b8.mxoccsapehpn2.14221392
-rw------- 1 root sapsys 11 May 3
13:45 .#lk200104b8.mxoccsapehpn2.9240874
-rw------- 1 root sapsys 600 May 31 09:39 random_seed
->Permissions under user "ehpadm"
drwx------ 2 ehpadm sapsys 4096 May 31
09:48 /home/ehpadm/.gnupg
-> Files Under /home/ehpadm/.gnupg
-rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg
-rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~
-rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg
-rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg
-rw------- 1 ehpadm sapsys 11 May 3
22:03 .#lk200104b8.mxoccsapehpn2.6488076
-rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf
-rw------- 1 ehpadm sapsys 11 May 4
13:43 .#lk2000c328.mxoccsapehpn2.6160766
-rw------- 1 ehpadm sapsys 11 May 4
13:55 .#lk2000c328.mxoccsapehpn2.8913004
-rw------- 1 ehpadm sapsys 11 May 4
15:55 .#lk2000c328.mxoccsapehpn2.12976528
-rw------- 1 ehpadm sapsys 11 May 4
17:58 .#lk2000c328.mxoccsapehpn2.10158578
-rw------- 1 ehpadm sapsys 11 May 4
18:06 .#lk2000c328.mxoccsapehpn2.5308674
-rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed
#### Test 1 ##### -------Failed Test
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31
10:06 /home/ehpadm/testehpadm
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20
--trust-model always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/ehpadm/testehpadm.pgp'
-> command is not exiting , we have to forecfully kill the command every
time and file generated by PGP is zero bytes
-rw-r--r-- 1 ehpadm sapsys 0 May 31
10:06 /home/ehpadm/testehpadm.pgp
#### Test 2 ##### --------Successful Test
->Created file name "testroot" in root home directory
-rw-r--r-- 1 root system 7 May 31
10:11 /home/root/testroot
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model
always /home/root/testroot
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/root/testroot.pgp'
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
Test completed successfully with no errors
-rw-r--r-- 1 root system 1649 May 31
10:12 /home/root/testroot.pgp
#### Test 3 ##### ---------Test is successful but giving some error
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31
10:06 /home/ehpadm/testehpadm
-> Changed the owner of "random seed" file to root so that ehpadm can not
write to random_seed file
-rw------- 1 root system 0 May 31
10:00 /home/ehpadm/.gnupg/random_seed
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20
--trust-model always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y
gpg: writing to `/home/ehpadm/testehpadm.pgp'
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
gpg: note: random_seed file not updated
-> command is exiting successfully , but below errors are coming
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Encrypted file is generated
-rw-r--r-- 1 ehpadm sapsys 1654 May 31
10:25 /home/ehpadm/testehpadm.pgp
So when we have original random seed file in home directory of ehpadm user,
gpg encryption program is not working and when we change the owner of this
file and make root as the owner gpg
is bypassing this file and it generated the encypted file with below error
as in TEST 3
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Regards,
ANKIT BHARDWAJ
SME - AIX
Mobile: 91-9000-146341
IBM
E-mail: ankit.bhardw...@in.ibm.com
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: Ankit Bhardwaj5/India/IBM@IBMIN
Cc: "Juan Carlos Garcia" <juancarlos.gar...@ext.cemex.com>,
Srinivas Masetty/India/IBM@IBMIN, Ajay B
Challa/India/IBM@IBMIN, Samuel Ramos Javier/Mexico/IBM@IBMMX,
"Samuel Mizrain Ramos Javier"
<samuelmizrain.ra...@ext.cemex.com>, Ivan Fernando Montes de
Oca Tavera/Mexico/Contr/IBM@IBMMX
Date: 05/31/2016 07:11 PM
Subject: Fw: GnuPG - Encryption process issues.
Hi Ankit,
Please confirm if information provided by GnuPG Support Team lead us to a
specific Root Cause or if more details are required, since issue can occur
again, generating another RCA with higher visibility.
Thanks in advance.
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
IBM
E-mail: cmore...@mx1.ibm.com Av. Constitución No.
444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey,
NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/31/2016 08:36 AM -----
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: "Juan Carlos Garcia" <juancarlos.gar...@ext.cemex.com>, Juan
Carlos Garcia Dominguez/Mexico/Contr/IBM@IBMMX, Ankit
Bhardwaj5/India/IBM@IBMIN
Cc: Samuel Ramos Javier/Mexico/IBM@IBMMX, "Samuel Mizrain Ramos
Javier" <samuelmizrain.ra...@ext.cemex.com>, Ivan Fernando
Montes de Oca Tavera/Mexico/Contr/IBM@IBMMX
Date: 05/27/2016 03:05 PM
Subject: Fw: GnuPG - Encryption process issues.
FYI
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
IBM
E-mail: cmore...@mx1.ibm.com Av. Constitución No.
444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey,
NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/27/2016 03:04 PM -----
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM@IBMMX,
gnupg-users@gnupg.org
Date: 05/27/2016 10:32 AM
Subject: Re: GnuPG - Encryption process issues.
On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote:
> In recent days, Human Resources Department had some issues while using
the
> Encryption Program GnuPG in payroll activities, this issue caused a delay
> since files where encrypted but information was in blank (like if
> encryption process did not finish.)
>
> As part of remediation process, we found out that it could only work with
> Root Permissions but not with the current user. We want to confirm how
does
> the encryption process works and if you can share any thoughts of what
> might could happen. If you require more information, please do not
hesitate
> to ask me.
It sounds to me like the installation of gnupg that you are using is
misconfigured. GnuPG depends heavily on a "keyring" -- a collection of
public key material (and sometimes private key material, if decryption
or signing is needed), which it maintains in the .gnupg directory within
the running user's home directory (found by the environment variable
$HOME).
If you've started with a normal user account, but have then run gnupg as
root (e.g. using "su") without resetting $HOME to root's actual homedir
(usually /root on the systems i use), then it's possible that you've
created ~/.gnupg with the wrong permissions.
Or, it's possible that the .gnupg directory is *only* available within
root's homedir.
Does your non-privileged user have a ~/.gnupg directory? if so, does it
have read and write access to it?
What error messages do you get from invoking gpg directly?
--dkg
signature.asc
Description: Binary data
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
