blackbox: gpg: decryption failed: No secret key

Blackbox 89566f7
Gpg 2.2.3

We are facing a Blackbox issue on both several local machines (up to date macOS) and our CI (amazonlinux:2016.09.1.20161221 running on CircleCI). We extensively rely on Blackbox with nearly a 100 encrypted files.

The decryption goes well most of the time, but around 5% of the invocations result in a non-deterministic issue causing gpg to crash. Here goes the relevant part of the error logs:

$ blackbox_decrypt_all_files
gpg: key ABCD: public key "abcd <abcd@key>" imported
gpg: key ABCD: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
========== Importing keychain: START
gpg: key 98A87F81DCF732EA: public key "a <a@a>" imported
gpg: key DFB3BB7E72A6AE86: public key "b <b@b>" imported
gpg: key E718D80E5FACEB2B: public key "c <c@c>" imported
gpg: key EFAF45AA074BFF85: public key "d <d@d>" imported
gpg: key E6D589AD1CBB467F: public key "e <e@e>" imported
gpg: key CB36B534CB358125: public key "f <f@f>" imported
gpg: key F591723101148D38: public key "g <g@g>" imported
gpg: Total number processed: 8
gpg:               imported: 7
gpg:              unchanged: 1
========== Importing keychain: DONE
========== Decrypting new/changed files: START
========== EXTRACTED some/secret/file.js
# ...
# Successfully extracting ~90 files
# ...
========== EXTRACTED some/other/secret/file.js
gpg: decryption failed: No secret key
Exited with code 2

Hard to track down, any leads?

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Reactions: 7
  • Comments: 17 (3 by maintainers)

Most upvoted comments

Issue persists

+5
rrggrr on Aug 6, 2018

I solved a similar issue by setting the GPG_TTY environment variable:

GPG_TTY=$(tty)
export GPG_TTY

in my .zshrc file (.bashrc, …), as seen in gnupg documentation: https://gnupg.org/documentation/manuals/gnupg-2.0/Invoking-GPG_002dAGENT.html https://gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html

Specially this line caught my attention:

You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:

GPG_TTY=$(tty) export GPG_TTY It is important that this environment variable always reflects the output of the tty command. For W32 systems this option is not required.

I was having similar issues, gpg: decryption failed: No secret key mostly when pulling from git encrypted files (but with no key added or removed, just reencrypt). Using blackbox_update_all_files was only solving the issue until the next git pull. Setting GPG_TTY seems to be definitive.

This post guided me to the solution: https://juliansimioni.com/blog/troubleshooting-gpg-git-commit-signing/

+1
xavieramoros on Jan 29, 2019

I’ve noticed similar problems recently, is this issue still relevant for @aymericbeaumet ?

+1
jbonzo on Jun 9, 2018

If you get “gpg: decryption failed: No secret key” it often means a file was not re-encrypted with the new key. Does that help?

+1
TomOnTime on Dec 18, 2017
Read more comments on GitHub
← stacker.news: Unable to run stacker.news locally
dnscontrol: BUG: ROUTE53: diff2 crashes when trying to IGNORE_NAME/IGNORE_TARGET with R53_ALIAS →