Fw: GnuPG - Encryption process issues.

Ankit Bhardwaj5 ankit.bhardwaj3 at in.ibm.com
Wed Jun 8 18:41:27 CEST 2016


Hello Carlos

As i m busy in completing DR checklist, i will try to finish this by 
today.



Regards,

ANKIT BHARDWAJ
SME - AIX


Mobile: 91-9000-146341
E-mail: ankit.bhardwaj3 at in.ibm.com






From:   Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To:     Ankit Bhardwaj5/India/IBM at IBMIN, Rockey L Das/India/IBM at IBMIN
Cc:     Daniel Kahn Gillmor <dkg at fifthhorseman.net>, 
gnupg-users at gnupg.org, Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes 
de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" 
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX, 
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>, 
Srinivas Masetty/India/IBM at IBMIN
Date:   06/08/2016 10:04 PM
Subject:        Re: Fw: GnuPG - Encryption process issues.


Hi Ankit / Ajay,

So far we have not received any response, please revert to GnuPG Support 
Team since client is asking for updates and "Reply to all" in this email. 
Thanks in advance.




   Carlos A. Moreno Torres
    Problem Management | CEMEX
    Global Technology Services | IBM Corporation 

Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b 
  



Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México






From:   Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To:     Ankit Bhardwaj5/India/IBM at IBMIN, Daniel Kahn Gillmor 
<dkg at fifthhorseman.net>, gnupg-users at gnupg.org
Cc:     Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca 
Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" 
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX, 
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>, 
Srinivas Masetty/India/IBM at IBMIN
Date:   06/06/2016 12:34 PM
Subject:        Re: Fw: GnuPG - Encryption process issues.


Hi Ankit,

Below is the response from GnuPG support, please let us know if this can 
provide us the specific Root Cause. Please reply to all and direct email 
to GnuPG Team if you have any questions for them. Thanks in advance.

Also, do not remove any of the participants of this email.

Hi Carlos--

Please reply in the original thread, to make it easier for people to
follow the discussion.

I've added some References: headers back in here so some mailers might
merge the threads, but this won't work for everyone.

Also, when sharing terminal transcripts, sending mail without
unnecessary line-wrapping will make them much easier for your readers to
interpret.

It looks like you're trying to sign the file (that's what the "-s" part
of "-se" means).  For whatever reason, the signature itself is likely to
be what is failing, and not the encryption.  If you drop the signatures
in your test (using -e instead of -se) do they all complete cleanly?  To
be clear: I'm not saying you shouldn't sign at the same time as
encrypting, i'm trying to help you narrow down the cause of the problem.

I also see you fiddling with the ownership of ~/.gnupg/random_seed --
you really shouldn't need to do that, and ideally each user will control
their own random_seed automatically -- you shouldn't be sharing a gnupg
home directory between to different user accounts unless you absolutely
need to.

     --dkg
[attachment "signature.asc" deleted by Ankit Bhardwaj5/India/IBM] 





   Carlos A. Moreno Torres
    Problem Management | CEMEX
    Global Technology Services | IBM Corporation 

Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b 
  



Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México






From:   Ankit Bhardwaj5/India/IBM
To:     Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX
Cc:     Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca 
Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" 
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX, 
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>, 
Srinivas Masetty/India/IBM at IBMIN
Date:   05/31/2016 10:46 AM
Subject:        Re: Fw: GnuPG - Encryption process issues.


Hello Carlos

Please share below information with GPG team i think by seeing the results 
of test performed by us on system they will able to give us the solution 

We have tested below things in envirnoment

-> Userd Details used in this test
root
ehpadm

Permissions under user "root"

-> Directory Permission of root

drwx------    2 root     sapsys         4096 May 31 09:39 
/home/root/.gnupg

-> Files Under /home/root/.gnupg

-rw-------    1 root     sapsys         1280 Sep 13 2011  trustdb.gpg
-rw-------    1 root     sapsys         4805 Sep 13 2011  secring.gpg
-r--------    1 root     sapsys         9088 Sep 13 2011  gpg.conf
-rw-------    1 root     sapsys         7438 May 21 2013  pubring.gpg~
-rw-------    1 root     sapsys         8557 Nov  8 2013  pubring.gpg
-rw-------    1 root     sapsys           11 Apr 28 08:44 
.#lk200104a8.mxoccsapehpn2.8716480
-rw-------    1 root     sapsys           11 Apr 28 08:53 
.#lk2000c2c8.mxoccsapehpn2.11141460
-rw-------    1 root     sapsys           11 Apr 28 12:00 
.#lk200104b8.mxoccsapehpn2.8978598
-rw-------    1 root     sapsys           11 Apr 29 08:57 
.#lk2000c2c8.mxoccsapehpn2.12911042
-rw-------    1 root     sapsys           11 May  2 11:32 
.#lk200104b8.mxoccsapehpn2.10748294
-rw-------    1 root     sapsys           11 May  2 19:34 
.#lk200104b8.mxoccsapehpn2.7471568
-rw-------    1 root     sapsys           11 May  2 22:23 
.#lk2000c328.mxoccsapehpn2.12058746
-rw-------    1 root     sapsys           11 May  2 23:46 
.#lk200104b8.mxoccsapehpn2.6750230
-rw-------    1 root     sapsys           11 May  3 10:28 
.#lk200104b8.mxoccsapehpn2.14221392
-rw-------    1 root     sapsys           11 May  3 13:45 
.#lk200104b8.mxoccsapehpn2.9240874
-rw-------    1 root     sapsys          600 May 31 09:39 random_seed


->Permissions under user "ehpadm"

drwx------    2 ehpadm   sapsys         4096 May 31 09:48 
/home/ehpadm/.gnupg

-> Files Under /home/ehpadm/.gnupg

-rw-------    1 ehpadm   sapsys         1200 May  3 21:54 trustdb.gpg
-rw-------    1 ehpadm   sapsys         7438 May  3 21:54 pubring.gpg~
-rw-------    1 ehpadm   sapsys         8557 May  3 21:54 pubring.gpg
-rw-------    1 ehpadm   sapsys         4805 May  3 21:54 secring.gpg
-rw-------    1 ehpadm   sapsys           11 May  3 22:03 
.#lk200104b8.mxoccsapehpn2.6488076
-rw-------    1 ehpadm   sapsys         9029 May  4 11:18 gpg.conf
-rw-------    1 ehpadm   sapsys           11 May  4 13:43 
.#lk2000c328.mxoccsapehpn2.6160766
-rw-------    1 ehpadm   sapsys           11 May  4 13:55 
.#lk2000c328.mxoccsapehpn2.8913004
-rw-------    1 ehpadm   sapsys           11 May  4 15:55 
.#lk2000c328.mxoccsapehpn2.12976528
-rw-------    1 ehpadm   sapsys           11 May  4 17:58 
.#lk2000c328.mxoccsapehpn2.10158578
-rw-------    1 ehpadm   sapsys           11 May  4 18:06 
.#lk2000c328.mxoccsapehpn2.5308674
-rw-------    1 ehpadm   sapsys            0 May 31 10:00 random_seed




#### Test 1 ##### -------Failed Test

->Created file name "testehpadm" in ehpadm home directory
-rw-r--r--    1 ehpadm   sapsys            6 May 31 10:06 
/home/ehpadm/testehpadm

-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output 
/home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model 
always /home/ehpadm/testehpadm

-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/ehpadm/testehpadm.pgp'

-> command is not exiting , we have to forecfully kill the command every 
time and file generated by PGP is zero bytes

-rw-r--r--    1 ehpadm   sapsys            0 May 31 10:06 
/home/ehpadm/testehpadm.pgp


#### Test 2 ##### --------Successful Test

->Created file name "testroot" in root home directory
-rw-r--r--    1 root     system            7 May 31 10:11 
/home/root/testroot

-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output 
/home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model always 
/home/root/testroot

-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/root/testroot.pgp'
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"

Test completed successfully with no errors
-rw-r--r--    1 root     system         1649 May 31 10:12 
/home/root/testroot.pgp

#### Test 3 ##### ---------Test is successful but giving some error 

->Created file name "testehpadm" in ehpadm home directory
-rw-r--r--    1 ehpadm   sapsys            6 May 31 10:06 
/home/ehpadm/testehpadm

-> Changed the owner of "random seed" file to root so that ehpadm can not 
write to random_seed file
-rw-------    1 root     system            0 May 31 10:00 
/home/ehpadm/.gnupg/random_seed

-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output 
/home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model 
always /home/ehpadm/testehpadm



-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y
gpg: writing to `/home/ehpadm/testehpadm.pgp'
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
gpg: note: random_seed file not updated


-> command is exiting successfully , but below errors are coming
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated

Encrypted file is generated
-rw-r--r--    1 ehpadm   sapsys         1654 May 31 10:25 
/home/ehpadm/testehpadm.pgp


So when we have original random seed file in home directory of ehpadm 
user, gpg encryption program is not working and when we change the owner 
of this file and make root as the owner gpg
is bypassing this file and it generated the encypted file with below error 
as in TEST 3

gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated



Regards,

ANKIT BHARDWAJ
SME - AIX


Mobile: 91-9000-146341
E-mail: ankit.bhardwaj3 at in.ibm.com







From:   Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To:     Ankit Bhardwaj5/India/IBM at IBMIN
Cc:     "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>, Srinivas 
Masetty/India/IBM at IBMIN, Ajay B Challa/India/IBM at IBMIN, Samuel Ramos 
Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" 
<samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando Montes de Oca 
Tavera/Mexico/Contr/IBM at IBMMX
Date:   05/31/2016 07:11 PM
Subject:        Fw: GnuPG - Encryption process issues.


Hi Ankit, 

Please confirm if information provided by GnuPG Support Team lead us to a 
specific Root Cause or if more details are required, since issue can occur 
again, generating another RCA with higher visibility.

Thanks in advance.


   Carlos A. Moreno Torres
    Problem Management | CEMEX
    Global Technology Services | IBM Corporation 

Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b 
  



Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México


----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 
05/31/2016 08:36 AM -----

From:   Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To:     "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>, Juan 
Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit 
Bhardwaj5/India/IBM at IBMIN
Cc:     Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos 
Javier" <samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando Montes de Oca 
Tavera/Mexico/Contr/IBM at IBMMX
Date:   05/27/2016 03:05 PM
Subject:        Fw: GnuPG - Encryption process issues.


FYI



   Carlos A. Moreno Torres
    Problem Management | CEMEX
    Global Technology Services | IBM Corporation 

Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b 
  



Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México


----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 
05/27/2016 03:04 PM -----

From:   Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To:     Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX, 
gnupg-users at gnupg.org
Date:   05/27/2016 10:32 AM
Subject:        Re: GnuPG - Encryption process issues.



On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote:

> In recent days, Human Resources Department had some issues while using 
the
> Encryption Program GnuPG in payroll activities, this issue caused a 
delay
> since files where encrypted but information was in blank (like if
> encryption process did not finish.)
>
> As part of remediation process, we found out that it could only work 
with
> Root Permissions but not with the current user. We want to confirm how 
does
> the encryption process works and if you can share any thoughts of what
> might could happen. If you require more information, please do not 
hesitate
> to ask me.

It sounds to me like the installation of gnupg that you are using is
misconfigured.  GnuPG depends heavily on a "keyring" -- a collection of
public key material (and sometimes private key material, if decryption
or signing is needed), which it maintains in the .gnupg directory within
the running user's home directory (found by the environment variable
$HOME).

If you've started with a normal user account, but have then run gnupg as
root (e.g. using "su") without resetting $HOME to root's actual homedir
(usually /root on the systems i use), then it's possible that you've
created ~/.gnupg with the wrong permissions.

Or, it's possible that the .gnupg directory is *only* available within
root's homedir.

Does your non-privileged user have a ~/.gnupg directory?  if so, does it
have read and write access to it?

What error messages do you get from invoking gpg directly?

     --dkg










-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160608/74c3c046/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0007.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0008.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0009.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0010.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0011.gif>


More information about the Gnupg-users mailing list