Brace yourself: User-friendly but broken OpenPGP is here

Sheogorath sheogorath at shivering-isles.com
Sat Aug 29 16:17:51 CEST 2020 

Hello to everyone,

Today I got an encrypted email from a friend that turned out to be
undecryptable in first place. After my evolution integration failed, I
checked manually using gpg --decrypt.

This provided me with the lovely statement of:

gpg: encrypted with 4096-bit RSA key, ID FCB98C2A3EC6F601, created
2019-09-04
      "Sheogorath <sheogorath at shivering-isles.com>"
gpg: decryption failed: No secret key

First I was confused as this was obviously my key, but why no secret
key around? I'm using a smartcard so maybe an issue there? A closer
inspection of the key ID showed that it was encrypted with my master
key. A key that is not marked to be used for encryption. So how the
heck did that happened?

Reaching out to the friend I was told that they were using
canarymail[1]. This email client for Mac and iOS claims to support
OpenPGP. Reaching out to my Mastodon followers I tried to reproduce the
issue with someone who never mailed me before and here it got even
better. They seem to discover keys using WKD. But they ignore expiry
dates and revocations on keys as they listed my old and, as mentioned,
revoked keys.

So if you get any undecryptable emails in the next few days. Don't
worry, your setup is not broken, it's probably just a Mac user using an
email client that didn't bother to implement OpenPGP even remotely
correct.

---

TL;DR: Canarymail[1] implements the encryption part of OpenPGP properly
but ignores all the key management parts. From selecting the right
encryption key to take care of revoked or expired keys. But they
provide a nice GUI and make it easy for people to use this broken
implementation so don't wonder if you get some email that require you
to get your master secret key out to read them, even when it never
allowed to be used for encryption.

---

I hope this email help the community to find the right people to fix
the problem. I tried to reach out to them via Twitter but so far, no
luck. And otherwise to spread at least awareness about the problem.

[1]: https://canarymail.io/

-- 
Signed
Sheogorath

OpenPGP: https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200829/aae47e21/attachment.sig>

More information about the Gnupg-users mailing list