I had to downgrade back to gpg4win-3.1.1.exe version since the gpg4win-3.1.2.exe gives me an error when decrypting my .asc files and I cannot decrypt them anymore.
Forgot to tell:
using windows 10 64 bit Version: 10.0.17134.112
Moreover I noticed that when I install version 3.1.1 I am been asked to restart my pc while if I install version 3.1.2 I am asked only to open kleopatra without restarting pc.
Obviously I restarted my pc even if not asked by version 3.1.2 but the problem is still there: Decryption failed !
Hi Dan,
This is very likely because your encrypted file is not integrity protected (No MDC). Sadly our stack does not yet carry the error through to Kleopatra properly and Kleopatra does not show a good error. I’ve opened a Ticket for this https://dev.gnupg.org/T4038 as we definitely should do that for the next release.
MDC is a mechanism to ensure that the encrypted data was not modified. It’s been in use for ~15 years. Any key created or updated in that time will note that Algorithms that always use an MDC should be used.
To workaround this. Please use the command line:
gpg --ignore-mdc-error --decrypt “yourfile”
And then reencrypt it:
gpg -r “recipient1” -r “recipient2” --encrypt “yourfile”
Afterwards it is integrity protected (which is much better) and can be used as usual in Kleopatra.
Apologies for the hassle, but after the EFail “hype” we decided that we needed to enforce this well established countermeasure against the EFail attacks.
Thanks for the quick answer!
Since I am not comfortable with command line, is there any way to decrypt / re encrypt my files using the working version 3.1.1 and adding that MDC protection?
Regards
Hi Andre,
since I have quite a few encrypted files on my drive I thought this procedure:
- decrypt all my encrypted files using working version 3.1.1
- uninstall version 3.1.1
- install new version 3.1.2
- encrypt all my decrypted files using new version 3.1.2 (btw how flag MDC integrity protection?)
Is it possible? How tell version 3.1.2 to use MDC integrity protection?
Many thanks.
If your key is recent or recently updated (update means, e.g. changing the expiry date, or adding a user id) it would work to decrypt and then encrypt the file again.
You can update your key by opening the Details (double click) in Kleopatra and then select the Edit button next to the expiry line. If you just close the dialog with “OK” even if you don’t change the expiry date your key should be updated.
Alternatively you could always decrypt through the GUI with 3.1.1 and then encrypt it again with 3.1.2 
The command line probably makes it easier to select the same recipients.
I’ve noted this issue down in our TroubleShooting FAQ
https://wiki.gnupg.org/TroubleShooting#Decryption_Failure_with_Gpg4win-3.1.2_or_later
Good Andre!
One more question: if I’ll do my preferred GUI method “Alternatively you could always decrypt through the GUI with 3.1.1 and then encrypt it again with 3.1.2 :-)”
then I do not need to update my older keys? Do I?
If it’s possible, this will save me a lot of time
Finally please explain me if I shall encrypt using new 3.1.2 the integrity protection will be set “on” by default?
Thanks.
3.1.2 (or more precise gnupg-2.2.8) will always use MDC regardless of the Key preferences.
Older Versions look for the MDC flag in the key features. There is no way to check that with Kleopatra.
On the Command Line looking at the preferences is like:
gpg --edit-key test1@testkolab.intevation.de
pub rsa2048/40431999928CF38B
created: 2016-11-21 expires: never usage: SC
trust: unknown validity: unknown
sub rsa2048/A7D34375D923563D
created: 2016-11-21 expires: never usage: E
[ unknown] (1). Testuser 1 test1@testkolab.intevation.de
gpg> showpref
[ unknown] (1). Testuser 1 test1@testkolab.intevation.de
Cipher: AES256, AES192, AES, 3DES
Digest: SHA256, SHA384, SHA512, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
There you can see that the key has the MDC Feature flag. This tells older GnuPG Versions that they should use MDC when encrypting to that key.
Eventually I decrypted all my files using older version 3.1.1 and then I encrypted all again using the new version 3.1.2
It took a while but this worked and now I can open
all my files using the last version 3.1.2 !
Many thanks for your helpful support!
Best regards.
““3.1.2 (or more precise gnupg-2.2.8) will always use MDC regardless of the Key preferences.””
This is very useful!!! Indeed I didn’t update my keys and all seems working well.
Thanks.