Fw: GnuPG - Encryption process issues.
Ankit Bhardwaj5
ankit.bhardwaj3 at in.ibm.com
Wed Jun 8 18:41:27 CEST 2016
Hello Carlos
As i m busy in completing DR checklist, i will try to finish this by
today.
Regards,
ANKIT BHARDWAJ
SME - AIX
Mobile: 91-9000-146341
E-mail: ankit.bhardwaj3 at in.ibm.com
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: Ankit Bhardwaj5/India/IBM at IBMIN, Rockey L Das/India/IBM at IBMIN
Cc: Daniel Kahn Gillmor <dkg at fifthhorseman.net>,
gnupg-users at gnupg.org, Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes
de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia"
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX,
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>,
Srinivas Masetty/India/IBM at IBMIN
Date: 06/08/2016 10:04 PM
Subject: Re: Fw: GnuPG - Encryption process issues.
Hi Ankit / Ajay,
So far we have not received any response, please revert to GnuPG Support
Team since client is asking for updates and "Reply to all" in this email.
Thanks in advance.
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b
Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: Ankit Bhardwaj5/India/IBM at IBMIN, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>, gnupg-users at gnupg.org
Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia"
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX,
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>,
Srinivas Masetty/India/IBM at IBMIN
Date: 06/06/2016 12:34 PM
Subject: Re: Fw: GnuPG - Encryption process issues.
Hi Ankit,
Below is the response from GnuPG support, please let us know if this can
provide us the specific Root Cause. Please reply to all and direct email
to GnuPG Team if you have any questions for them. Thanks in advance.
Also, do not remove any of the participants of this email.
Hi Carlos--
Please reply in the original thread, to make it easier for people to
follow the discussion.
I've added some References: headers back in here so some mailers might
merge the threads, but this won't work for everyone.
Also, when sharing terminal transcripts, sending mail without
unnecessary line-wrapping will make them much easier for your readers to
interpret.
It looks like you're trying to sign the file (that's what the "-s" part
of "-se" means). For whatever reason, the signature itself is likely to
be what is failing, and not the encryption. If you drop the signatures
in your test (using -e instead of -se) do they all complete cleanly? To
be clear: I'm not saying you shouldn't sign at the same time as
encrypting, i'm trying to help you narrow down the cause of the problem.
I also see you fiddling with the ownership of ~/.gnupg/random_seed --
you really shouldn't need to do that, and ideally each user will control
their own random_seed automatically -- you shouldn't be sharing a gnupg
home directory between to different user accounts unless you absolutely
need to.
--dkg
[attachment "signature.asc" deleted by Ankit Bhardwaj5/India/IBM]
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b
Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México
From: Ankit Bhardwaj5/India/IBM
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX
Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia"
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos Javier/Mexico/IBM at IBMMX,
"Samuel Mizrain Ramos Javier" <samuelmizrain.ramos at ext.cemex.com>,
Srinivas Masetty/India/IBM at IBMIN
Date: 05/31/2016 10:46 AM
Subject: Re: Fw: GnuPG - Encryption process issues.
Hello Carlos
Please share below information with GPG team i think by seeing the results
of test performed by us on system they will able to give us the solution
We have tested below things in envirnoment
-> Userd Details used in this test
root
ehpadm
Permissions under user "root"
-> Directory Permission of root
drwx------ 2 root sapsys 4096 May 31 09:39
/home/root/.gnupg
-> Files Under /home/root/.gnupg
-rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg
-rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg
-r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf
-rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~
-rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg
-rw------- 1 root sapsys 11 Apr 28 08:44
.#lk200104a8.mxoccsapehpn2.8716480
-rw------- 1 root sapsys 11 Apr 28 08:53
.#lk2000c2c8.mxoccsapehpn2.11141460
-rw------- 1 root sapsys 11 Apr 28 12:00
.#lk200104b8.mxoccsapehpn2.8978598
-rw------- 1 root sapsys 11 Apr 29 08:57
.#lk2000c2c8.mxoccsapehpn2.12911042
-rw------- 1 root sapsys 11 May 2 11:32
.#lk200104b8.mxoccsapehpn2.10748294
-rw------- 1 root sapsys 11 May 2 19:34
.#lk200104b8.mxoccsapehpn2.7471568
-rw------- 1 root sapsys 11 May 2 22:23
.#lk2000c328.mxoccsapehpn2.12058746
-rw------- 1 root sapsys 11 May 2 23:46
.#lk200104b8.mxoccsapehpn2.6750230
-rw------- 1 root sapsys 11 May 3 10:28
.#lk200104b8.mxoccsapehpn2.14221392
-rw------- 1 root sapsys 11 May 3 13:45
.#lk200104b8.mxoccsapehpn2.9240874
-rw------- 1 root sapsys 600 May 31 09:39 random_seed
->Permissions under user "ehpadm"
drwx------ 2 ehpadm sapsys 4096 May 31 09:48
/home/ehpadm/.gnupg
-> Files Under /home/ehpadm/.gnupg
-rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg
-rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~
-rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg
-rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg
-rw------- 1 ehpadm sapsys 11 May 3 22:03
.#lk200104b8.mxoccsapehpn2.6488076
-rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf
-rw------- 1 ehpadm sapsys 11 May 4 13:43
.#lk2000c328.mxoccsapehpn2.6160766
-rw------- 1 ehpadm sapsys 11 May 4 13:55
.#lk2000c328.mxoccsapehpn2.8913004
-rw------- 1 ehpadm sapsys 11 May 4 15:55
.#lk2000c328.mxoccsapehpn2.12976528
-rw------- 1 ehpadm sapsys 11 May 4 17:58
.#lk2000c328.mxoccsapehpn2.10158578
-rw------- 1 ehpadm sapsys 11 May 4 18:06
.#lk2000c328.mxoccsapehpn2.5308674
-rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed
#### Test 1 ##### -------Failed Test
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06
/home/ehpadm/testehpadm
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output
/home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model
always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/ehpadm/testehpadm.pgp'
-> command is not exiting , we have to forecfully kill the command every
time and file generated by PGP is zero bytes
-rw-r--r-- 1 ehpadm sapsys 0 May 31 10:06
/home/ehpadm/testehpadm.pgp
#### Test 2 ##### --------Successful Test
->Created file name "testroot" in root home directory
-rw-r--r-- 1 root system 7 May 31 10:11
/home/root/testroot
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output
/home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model always
/home/root/testroot
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/root/testroot.pgp'
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
Test completed successfully with no errors
-rw-r--r-- 1 root system 1649 May 31 10:12
/home/root/testroot.pgp
#### Test 3 ##### ---------Test is successful but giving some error
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06
/home/ehpadm/testehpadm
-> Changed the owner of "random seed" file to root so that ehpadm can not
write to random_seed file
-rw------- 1 root system 0 May 31 10:00
/home/ehpadm/.gnupg/random_seed
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output
/home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model
always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y
gpg: writing to `/home/ehpadm/testehpadm.pgp'
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
gpg: note: random_seed file not updated
-> command is exiting successfully , but below errors are coming
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Encrypted file is generated
-rw-r--r-- 1 ehpadm sapsys 1654 May 31 10:25
/home/ehpadm/testehpadm.pgp
So when we have original random seed file in home directory of ehpadm
user, gpg encryption program is not working and when we change the owner
of this file and make root as the owner gpg
is bypassing this file and it generated the encypted file with below error
as in TEST 3
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Regards,
ANKIT BHARDWAJ
SME - AIX
Mobile: 91-9000-146341
E-mail: ankit.bhardwaj3 at in.ibm.com
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: Ankit Bhardwaj5/India/IBM at IBMIN
Cc: "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>, Srinivas
Masetty/India/IBM at IBMIN, Ajay B Challa/India/IBM at IBMIN, Samuel Ramos
Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier"
<samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM at IBMMX
Date: 05/31/2016 07:11 PM
Subject: Fw: GnuPG - Encryption process issues.
Hi Ankit,
Please confirm if information provided by GnuPG Support Team lead us to a
specific Root Cause or if more details are required, since issue can occur
again, generating another RCA with higher visibility.
Thanks in advance.
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b
Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/31/2016 08:36 AM -----
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>, Juan
Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit
Bhardwaj5/India/IBM at IBMIN
Cc: Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos
Javier" <samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM at IBMMX
Date: 05/27/2016 03:05 PM
Subject: Fw: GnuPG - Encryption process issues.
FYI
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251
E-mail: cmorenot at mx1.ibm.com
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b
Av. Constitución No. 444 Pte.
Monterrey, NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/27/2016 03:04 PM -----
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX,
gnupg-users at gnupg.org
Date: 05/27/2016 10:32 AM
Subject: Re: GnuPG - Encryption process issues.
On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote:
> In recent days, Human Resources Department had some issues while using
the
> Encryption Program GnuPG in payroll activities, this issue caused a
delay
> since files where encrypted but information was in blank (like if
> encryption process did not finish.)
>
> As part of remediation process, we found out that it could only work
with
> Root Permissions but not with the current user. We want to confirm how
does
> the encryption process works and if you can share any thoughts of what
> might could happen. If you require more information, please do not
hesitate
> to ask me.
It sounds to me like the installation of gnupg that you are using is
misconfigured. GnuPG depends heavily on a "keyring" -- a collection of
public key material (and sometimes private key material, if decryption
or signing is needed), which it maintains in the .gnupg directory within
the running user's home directory (found by the environment variable
$HOME).
If you've started with a normal user account, but have then run gnupg as
root (e.g. using "su") without resetting $HOME to root's actual homedir
(usually /root on the systems i use), then it's possible that you've
created ~/.gnupg with the wrong permissions.
Or, it's possible that the .gnupg directory is *only* available within
root's homedir.
Does your non-privileged user have a ~/.gnupg directory? if so, does it
have read and write access to it?
What error messages do you get from invoking gpg directly?
--dkg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160608/74c3c046/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0007.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0008.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0009.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0010.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160608/74c3c046/attachment-0011.gif>
More information about the Gnupg-users
mailing list