I have installed gpg4win 3.1.0 version. I installed it on a Windows 2008 R2 and Windows 2012 server. I am trying to decrypt the file using Kleopatra and getting attached error. I have also attached the logs.
Basincally we have an interface, where in we download a file from a Vendor’s ftp site, decrypt the file and then process it. To do this I am using an ETL tool called Pentaho. To decrypt the file from with in pentaho I am using gpg4win.
I did following on a Windows 2012 VM server:
After my initial installation I run the job from with PDI and everything works fine.
After that I kicked off the Pentaho job using a batch file and it worked fine.
After that I scheduled the batch file in Windows scheduler and it worked fine.
When I kicked off windows scheduler second time it results in error.
Now forget about Pentaho, even if I try to decrypt file directly using Kleopatra (on windows 2012 server) I get attached error. I have attached screenshot of Kleppatra error. When I try to decrypt same file which resides on the server from my local Windows 10 it works fine.
When I decrypt using Kleopatra on server it does not even ask for pass phrase and results in error, where as from my local it asks for pass phrase and completes successfully.
Any help on the matter is highly appreciated.
Thanks
kleo-log (18.8 KB)
I’ll appreciate a response from any one, I am in a fix here.
Thanks,
The error passed to the GUI from GnuPG is not helpful here. From your log I can see that Kleopatra only sees the error you mentioned and has no more information.
The best thing you can do is to leave out the middleman (Kleopatra) and use the “gpg” binary directly from the command line.
e.g. “gpg --verbose --decrypt path_to_file”
This will probably give you a better / more detailed error. If not there are many more ways to make it even more verbose (e.g. --debug-level guru) or look at the data (–list-packets)
As a sidenote (does not appear to be the problem here) one common problem with the task-scheduler is that the homedir changes depending on the login state. Good advice is there to use the --homedir option to directly specificy a homedir.
https://wiki.gnupg.org/TroubleShooting#Windows_.3E_8_and_Server_2012_Task_Scheduler_Problems
Thanks for your help Andre. Below is the output of the direct command:
C:\Users\XXXXXXXX>“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --verbose --decrypt D:\order_status\NNA2EFLEET_AP20180427.txt.pgp
gpg: armor header: Version: BCPG v1.38
gpg: public key is XXXXXXXXXXXXXXXX
gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key YYYYYYYYYYYYYYYY
gpg: pinentry launched (4716 qt 1.1.1-beta5 - - -)
gpg: AllowSetForegroundWindow(4716) failed: The parameter is incorrect.
gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key YYYYYYYYYYYYYYYY
gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2018-04-20
“AAAAA AAAAAA@BBBBBB.com”
gpg: public key decryption failed: Timeout
gpg: decryption failed: No secret key
This error tells that the “passphrase” entry to use your private key timed out.
Is it possible that somehow the window is not shown? E.g. When using windows openssh it would not show windows.
You can try to use a different pinentry (maybe there is a problem with qt on your system) by renaming c:\program files\gpg4win\bin\pinentry-w32.exe to c:\program files\gpg4win\bin\pinentry.exe (after renaming the old pinentry.exe to somthing like pinentry_orig.exe).
Alternatively you can bypass the GUI pinentry by adding “pinentry-mode loopback” eg.:
gpg --pinentry-mode loopback --decrypt D:\order_status\NNA2EFLEET_AP20180427.txt.pgp
Thanks Andre for helping me out on this. I really appreciate it.
Yes, window did not show up. and if you see my command I had not supplied the pass phase in the command as well. My bad.
When I supplied pass phrase I got below error. Also ultimately this has to run on a scheduler so I should be able to supply passphrase without window popup and someone keying it in.
FYI: From the tool we do send in passphrase.
C:\Users\XXXXXXXX>“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --verbose --passphrase “PassPhraseHere” --decrypt D:order_status\Nissan\NNA2EFLEET_AP20180427.txt.pgp
gpg: armor header: Version: BCPG v1.38
gpg: public key is XXXXXXXXXXXXXXXX
gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key YYYYYYYYYYYYYYYY
gpg: pinentry launched (5468 qt 1.1.1-beta5 - - -)
gpg: AllowSetForegroundWindow(5468) failed: The parameter is incorrect.
gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key YYYYYYYYYYYYYYYY
gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2018-04-20
“AAAAA AAAAAA@BBBBBB.com”
gpg: public key decryption failed: Timeout
gpg: decryption failed: No secret key
The parameter “–passphrase …” is a no op if you do not also add “–pinentry-mode loopback” So you are running in the same error.
I know that this is bad and should at least give a notice that “–pinentry-mode” is required, but sigh this is gnupg :-/
Very strange that you do not get the window, though. Any Idea what could be causing it?
Thanks for the quick response Andre, adding “–pinentry-mode loopback” this to my command works like a charm.
Now the tool (Pentaho) that I am using to call gpg command does not gives me any way to pass in --pinentry-mode loopback as an option.
I may end up calling a batch file where I’ll store the command.
You could also put it into your gpg.conf
Create or Edit
%APPDATA%\gnupg\gpg.conf
And add
pinentry-mode loopback
This should have the same effect.
%APPDATA% expands to something like c:\users\yourname\AppData\Roaming
And the gnupg directory below this is the homedir where keys etc. are stored.
Thanks Andre, that did the trick form me. I really appreciate all your help on this.
Cannot tell you how much time I have spent on get this resolved.
You are welcome.
FWIW I will push for a clear error or at least a strong warning in GnuPG if one of the --passphrase options is used without pinentry-mode loopback. The current status of silently ignoring these options is really bad IMO.
I opened a Ticket for this https://dev.gnupg.org/T4020
That will be really helpful. I have wasted lot of time because of this. I had almost given up on this tool.
Having clear documentation and messages is very important for new people like me.
Again I really appreciate all your help with this. Hopefully this thread will also help people in future.