Ignoring GnuPG MDC errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Ignoring GnuPG MDC errors

duplicity-talk mailing list
Hi,

I'm curious about the resolution of bug #1780617 [0],
"test_sigchain_fileobj test fails when GnuPG >= 2.2.8".

The bug was filed in response to a recent change in GnuPG that made gpg
check for integrity errors ("MDC errors") in encrypted archives by
default, and to consider integrity errors to be a hard failure.

This change in GnuPG caused a test failure in Duplicity, and the
response was to unconditionally ignore the result of the integrity
check. [1]

The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
and/or sign these archives, they will be safe from spying and/or
modification by the server."

I don't fully understand the impact of this change on Duplicity, or how
Duplicity stores and authenticates its archives. How does Duplicity
protect against modification of backup archives?

[0] https://bugs.launchpad.net/duplicity/+bug/1780617

[1] https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ignoring GnuPG MDC errors

duplicity-talk mailing list
Hi,

Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now it's on by default.  Duplicity does a hash of the entire file so the MDC is duplication of effort.  Plus the effort is difficult when maintaining backwards compatibility.  I decided that other development was more important at this time, so turned off MDC via gpg options and got rid of the problem.  You are still protected by the hash stored in the manifest.

...Thanks,
...Ken


On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <[hidden email]> wrote:
Hi,

I'm curious about the resolution of bug #1780617 [0],
"test_sigchain_fileobj test fails when GnuPG >= 2.2.8".

The bug was filed in response to a recent change in GnuPG that made gpg
check for integrity errors ("MDC errors") in encrypted archives by
default, and to consider integrity errors to be a hard failure.

This change in GnuPG caused a test failure in Duplicity, and the
response was to unconditionally ignore the result of the integrity
check. [1]

The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
and/or sign these archives, they will be safe from spying and/or
modification by the server."

I don't fully understand the impact of this change on Duplicity, or how
Duplicity stores and authenticates its archives. How does Duplicity
protect against modification of backup archives?

[0] https://bugs.launchpad.net/duplicity/+bug/1780617

[1] https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Ignoring GnuPG MDC errors

duplicity-talk mailing list
On Wed, Sep 05, 2018 at 03:42:21PM -0500, Kenneth Loafman wrote:
> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
> it's on by default.  Duplicity does a hash of the entire file so the MDC is
> duplication of effort.  Plus the effort is difficult when maintaining
> backwards compatibility.  I decided that other development was more
> important at this time, so turned off MDC via gpg options and got rid of
> the problem.  You are still protected by the hash stored in the manifest.

Thanks for taking the time to clarify this for me. I really appreciate
it :)

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Encryption failed (Code 2)

duplicity-talk mailing list
In reply to this post by duplicity-talk mailing list
Hi,

I changed my OS to next Ubuntu LTS 18.04.
First trial to use duplicity after some month with images ended with an
error - and I am not sure if the problem fits to the Duplicity-talk
mails below concerning GnuPG MDC errors.

If it is the same problem: Can somebody tell me how to turn off MDC via
gpg options? Or where to get the information?

Anyhow: Would be nice to get any tips.
Thanks alot in advance

Vera


Encryption failed (Code 2).
gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis
`/home/XXXX/.gnupg'
gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
[GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
[GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für
das Gerät
[GNUPG:] BEGIN_ENCRYPTION 2 9
[GNUPG:] FAILURE sign-encrypt 83918950
gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL
(I/O-Control) für das Gerät

Hint:
   This error means that gpg is probably misconfigured or not working
   correctly. The error message above should help to solve the problem.
   However, if for some reason duply should misinterpret the situation you
   can define GPG_TEST='disabled' in the conf file to bypass the test.
   Please do not forget to report the bug in order to resolve the problem
   in future versions of duply.



-------- Weitergeleitete Nachricht --------
Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
Datum: Wed, 5 Sep 2018 15:42:21 -0500
Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
Antwort an: Discussion about duplicity backup <[hidden email]>
An: Discussion about duplicity backup <[hidden email]>
Kopie (CC): Kenneth Loafman <[hidden email]>

Hi,

Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
it's on by default.  Duplicity does a hash of the entire file so the MDC is
duplication of effort.  Plus the effort is difficult when maintaining
backwards compatibility.  I decided that other development was more
important at this time, so turned off MDC via gpg options and got rid of
the problem.  You are still protected by the hash stored in the manifest.

...Thanks,
...Ken


On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
[hidden email]> wrote:

> Hi,
>
> I'm curious about the resolution of bug #1780617 [0],
> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>
> The bug was filed in response to a recent change in GnuPG that made gpg
> check for integrity errors ("MDC errors") in encrypted archives by
> default, and to consider integrity errors to be a hard failure.
>
> This change in GnuPG caused a test failure in Duplicity, and the
> response was to unconditionally ignore the result of the integrity
> check. [1]
>
> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
> and/or sign these archives, they will be safe from spying and/or
> modification by the server."
>
> I don't fully understand the impact of this change on Duplicity, or how
> Duplicity stores and authenticates its archives. How does Duplicity
> protect against modification of backup archives?
>
> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>
> [1]
> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
hi Vera,

please state your duplicity and gpg versions.

..ede/duply.net

On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:

> Hi,
>
> I changed my OS to next Ubuntu LTS 18.04.
> First trial to use duplicity after some month with images ended with an error - and I am not sure if the problem fits to the Duplicity-talk mails below concerning GnuPG MDC errors.
>
> If it is the same problem: Can somebody tell me how to turn off MDC via gpg options? Or where to get the information?
>
> Anyhow: Would be nice to get any tips.
> Thanks alot in advance
>
> Vera
>
>
> Encryption failed (Code 2).
> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis `/home/XXXX/.gnupg'
> gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
> [GNUPG:] BEGIN_SIGNING H8
> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
> [GNUPG:] BEGIN_ENCRYPTION 2 9
> [GNUPG:] FAILURE sign-encrypt 83918950
> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
>
> Hint:
>   This error means that gpg is probably misconfigured or not working
>   correctly. The error message above should help to solve the problem.
>   However, if for some reason duply should misinterpret the situation you
>   can define GPG_TEST='disabled' in the conf file to bypass the test.
>   Please do not forget to report the bug in order to resolve the problem
>   in future versions of duply.
>
>
>
> -------- Weitergeleitete Nachricht --------
> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
> Datum: Wed, 5 Sep 2018 15:42:21 -0500
> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
> Antwort an: Discussion about duplicity backup <[hidden email]>
> An: Discussion about duplicity backup <[hidden email]>
> Kopie (CC): Kenneth Loafman <[hidden email]>
>
> Hi,
>
> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
> it's on by default.  Duplicity does a hash of the entire file so the MDC is
> duplication of effort.  Plus the effort is difficult when maintaining
> backwards compatibility.  I decided that other development was more
> important at this time, so turned off MDC via gpg options and got rid of
> the problem.  You are still protected by the hash stored in the manifest.
>
> ...Thanks,
> ...Ken
>
>
> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
> [hidden email]> wrote:
>
>> Hi,
>>
>> I'm curious about the resolution of bug #1780617 [0],
>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>
>> The bug was filed in response to a recent change in GnuPG that made gpg
>> check for integrity errors ("MDC errors") in encrypted archives by
>> default, and to consider integrity errors to be a hard failure.
>>
>> This change in GnuPG caused a test failure in Duplicity, and the
>> response was to unconditionally ignore the result of the integrity
>> check. [1]
>>
>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>> and/or sign these archives, they will be safe from spying and/or
>> modification by the server."
>>
>> I don't fully understand the impact of this change on Duplicity, or how
>> Duplicity stores and authenticates its archives. How does Duplicity
>> protect against modification of backup archives?
>>
>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>
>> [1]
>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
>> _______________________________________________
>> Duplicity-talk mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>
>
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
Hi Edgar,

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

duplicity 0.7.17

Vera

Am 20.02.19 um 12:42 schrieb [hidden email]:

> hi Vera,
>
> please state your duplicity and gpg versions.
>
> ..ede/duply.net
>
> On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:
>> Hi,
>>
>> I changed my OS to next Ubuntu LTS 18.04.
>> First trial to use duplicity after some month with images ended with an error - and I am not sure if the problem fits to the Duplicity-talk mails below concerning GnuPG MDC errors.
>>
>> If it is the same problem: Can somebody tell me how to turn off MDC via gpg options? Or where to get the information?
>>
>> Anyhow: Would be nice to get any tips.
>> Thanks alot in advance
>>
>> Vera
>>
>>
>> Encryption failed (Code 2).
>> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis `/home/XXXX/.gnupg'
>> gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
>> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
>> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
>> [GNUPG:] BEGIN_SIGNING H8
>> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
>> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
>> [GNUPG:] BEGIN_ENCRYPTION 2 9
>> [GNUPG:] FAILURE sign-encrypt 83918950
>> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
>>
>> Hint:
>>    This error means that gpg is probably misconfigured or not working
>>    correctly. The error message above should help to solve the problem.
>>    However, if for some reason duply should misinterpret the situation you
>>    can define GPG_TEST='disabled' in the conf file to bypass the test.
>>    Please do not forget to report the bug in order to resolve the problem
>>    in future versions of duply.
>>
>>
>>
>> -------- Weitergeleitete Nachricht --------
>> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
>> Datum: Wed, 5 Sep 2018 15:42:21 -0500
>> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
>> Antwort an: Discussion about duplicity backup <[hidden email]>
>> An: Discussion about duplicity backup <[hidden email]>
>> Kopie (CC): Kenneth Loafman <[hidden email]>
>>
>> Hi,
>>
>> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
>> it's on by default.  Duplicity does a hash of the entire file so the MDC is
>> duplication of effort.  Plus the effort is difficult when maintaining
>> backwards compatibility.  I decided that other development was more
>> important at this time, so turned off MDC via gpg options and got rid of
>> the problem.  You are still protected by the hash stored in the manifest.
>>
>> ...Thanks,
>> ...Ken
>>
>>
>> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
>> [hidden email]> wrote:
>>
>>> Hi,
>>>
>>> I'm curious about the resolution of bug #1780617 [0],
>>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>>
>>> The bug was filed in response to a recent change in GnuPG that made gpg
>>> check for integrity errors ("MDC errors") in encrypted archives by
>>> default, and to consider integrity errors to be a hard failure.
>>>
>>> This change in GnuPG caused a test failure in Duplicity, and the
>>> response was to unconditionally ignore the result of the integrity
>>> check. [1]
>>>
>>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>>> and/or sign these archives, they will be safe from spying and/or
>>> modification by the server."
>>>
>>> I don't fully understand the impact of this change on Duplicity, or how
>>> Duplicity stores and authenticates its archives. How does Duplicity
>>> protect against modification of backup archives?
>>>
>>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>>
>>> [1]
>>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
>>> _______________________________________________
>>> Duplicity-talk mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>
>>
>>
>> _______________________________________________
>> Duplicity-talk mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>
>

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
thats most likely no MDC issue.

you probably used gpg 1.x before.

since gpg 2.1 some config is needed to convince gpg to accept piped in passphrases. see
https://lists.launchpad.net/duplicity-team/msg02653.html

essentially you need

1.
to add the line

allow-loopback-pinentry

to '.gnupg/gpg-agent.conf' in the users home folder that runs the backup.

2.
add

GPG_OPTS='--pinentry-mode loopback'

to your duply conf file


good luck ..ede/duply.net


On 20.02.2019 14:32, Vera Schmidt via Duplicity-talk wrote:

> Hi Edgar,
>
> gpg (GnuPG) 2.2.4
> libgcrypt 1.8.1
>
> duplicity 0.7.17
>
> Vera
>
> Am 20.02.19 um 12:42 schrieb [hidden email]:
>> hi Vera,
>>
>> please state your duplicity and gpg versions.
>>
>> ..ede/duply.net
>>
>> On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:
>>> Hi,
>>>
>>> I changed my OS to next Ubuntu LTS 18.04.
>>> First trial to use duplicity after some month with images ended with an error - and I am not sure if the problem fits to the Duplicity-talk mails below concerning GnuPG MDC errors.
>>>
>>> If it is the same problem: Can somebody tell me how to turn off MDC via gpg options? Or where to get the information?
>>>
>>> Anyhow: Would be nice to get any tips.
>>> Thanks alot in advance
>>>
>>> Vera
>>>
>>>
>>> Encryption failed (Code 2).
>>> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis `/home/XXXX/.gnupg'
>>> gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
>>> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
>>> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
>>> [GNUPG:] BEGIN_SIGNING H8
>>> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
>>> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
>>> [GNUPG:] BEGIN_ENCRYPTION 2 9
>>> [GNUPG:] FAILURE sign-encrypt 83918950
>>> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
>>>
>>> Hint:
>>>    This error means that gpg is probably misconfigured or not working
>>>    correctly. The error message above should help to solve the problem.
>>>    However, if for some reason duply should misinterpret the situation you
>>>    can define GPG_TEST='disabled' in the conf file to bypass the test.
>>>    Please do not forget to report the bug in order to resolve the problem
>>>    in future versions of duply.
>>>
>>>
>>>
>>> -------- Weitergeleitete Nachricht --------
>>> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
>>> Datum: Wed, 5 Sep 2018 15:42:21 -0500
>>> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
>>> Antwort an: Discussion about duplicity backup <[hidden email]>
>>> An: Discussion about duplicity backup <[hidden email]>
>>> Kopie (CC): Kenneth Loafman <[hidden email]>
>>>
>>> Hi,
>>>
>>> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
>>> it's on by default.  Duplicity does a hash of the entire file so the MDC is
>>> duplication of effort.  Plus the effort is difficult when maintaining
>>> backwards compatibility.  I decided that other development was more
>>> important at this time, so turned off MDC via gpg options and got rid of
>>> the problem.  You are still protected by the hash stored in the manifest.
>>>
>>> ...Thanks,
>>> ...Ken
>>>
>>>
>>> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
>>> [hidden email]> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm curious about the resolution of bug #1780617 [0],
>>>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>>>
>>>> The bug was filed in response to a recent change in GnuPG that made gpg
>>>> check for integrity errors ("MDC errors") in encrypted archives by
>>>> default, and to consider integrity errors to be a hard failure.
>>>>
>>>> This change in GnuPG caused a test failure in Duplicity, and the
>>>> response was to unconditionally ignore the result of the integrity
>>>> check. [1]
>>>>
>>>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>>>> and/or sign these archives, they will be safe from spying and/or
>>>> modification by the server."
>>>>
>>>> I don't fully understand the impact of this change on Duplicity, or how
>>>> Duplicity stores and authenticates its archives. How does Duplicity
>>>> protect against modification of backup archives?
>>>>
>>>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>>>
>>>> [1]
>>>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
>>>> _______________________________________________
>>>> Duplicity-talk mailing list
>>>> [hidden email]
>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>
>>>
>>>
>>> _______________________________________________
>>> Duplicity-talk mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>>
>
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
Hi Edgar,

there is no file gpg-agent.conf in the profile folder .gnupg
Seachfing for gpg-agent.conf I could only find a file
/var/lib/dpkg/info/gpg-agent.conffiles which seems to be something
different.

In .gnupg are the files
private-keys-v1.d  random_seed  S.gpg-agent.browser  trustdb.gpg
pubring.gpg        secring.gpg  S.gpg-agent.extra
pubring.gpg~       S.gpg-agent  S.gpg-agent.ssh

Vera

Am 20.02.19 um 17:41 schrieb edgar.soldin--- via Duplicity-talk:

> thats most likely no MDC issue.
>
> you probably used gpg 1.x before.
>
> since gpg 2.1 some config is needed to convince gpg to accept piped in passphrases. see
> https://lists.launchpad.net/duplicity-team/msg02653.html
>
> essentially you need
>
> 1.
> to add the line
>
> allow-loopback-pinentry
>
> to '.gnupg/gpg-agent.conf' in the users home folder that runs the backup.
>
> 2.
> add
>
> GPG_OPTS='--pinentry-mode loopback'
>
> to your duply conf file
>
>
> good luck ..ede/duply.net
>
>
> On 20.02.2019 14:32, Vera Schmidt via Duplicity-talk wrote:
>> Hi Edgar,
>>
>> gpg (GnuPG) 2.2.4
>> libgcrypt 1.8.1
>>
>> duplicity 0.7.17
>>
>> Vera
>>
>> Am 20.02.19 um 12:42 schrieb [hidden email]:
>>> hi Vera,
>>>
>>> please state your duplicity and gpg versions.
>>>
>>> ..ede/duply.net
>>>
>>> On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:
>>>> Hi,
>>>>
>>>> I changed my OS to next Ubuntu LTS 18.04.
>>>> First trial to use duplicity after some month with images ended with an error - and I am not sure if the problem fits to the Duplicity-talk mails below concerning GnuPG MDC errors.
>>>>
>>>> If it is the same problem: Can somebody tell me how to turn off MDC via gpg options? Or where to get the information?
>>>>
>>>> Anyhow: Would be nice to get any tips.
>>>> Thanks alot in advance
>>>>
>>>> Vera
>>>>
>>>>
>>>> Encryption failed (Code 2).
>>>> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis `/home/XXXX/.gnupg'
>>>> gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
>>>> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
>>>> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
>>>> [GNUPG:] BEGIN_SIGNING H8
>>>> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
>>>> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
>>>> [GNUPG:] BEGIN_ENCRYPTION 2 9
>>>> [GNUPG:] FAILURE sign-encrypt 83918950
>>>> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
>>>>
>>>> Hint:
>>>>     This error means that gpg is probably misconfigured or not working
>>>>     correctly. The error message above should help to solve the problem.
>>>>     However, if for some reason duply should misinterpret the situation you
>>>>     can define GPG_TEST='disabled' in the conf file to bypass the test.
>>>>     Please do not forget to report the bug in order to resolve the problem
>>>>     in future versions of duply.
>>>>
>>>>
>>>>
>>>> -------- Weitergeleitete Nachricht --------
>>>> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
>>>> Datum: Wed, 5 Sep 2018 15:42:21 -0500
>>>> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
>>>> Antwort an: Discussion about duplicity backup <[hidden email]>
>>>> An: Discussion about duplicity backup <[hidden email]>
>>>> Kopie (CC): Kenneth Loafman <[hidden email]>
>>>>
>>>> Hi,
>>>>
>>>> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
>>>> it's on by default.  Duplicity does a hash of the entire file so the MDC is
>>>> duplication of effort.  Plus the effort is difficult when maintaining
>>>> backwards compatibility.  I decided that other development was more
>>>> important at this time, so turned off MDC via gpg options and got rid of
>>>> the problem.  You are still protected by the hash stored in the manifest.
>>>>
>>>> ...Thanks,
>>>> ...Ken
>>>>
>>>>
>>>> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
>>>> [hidden email]> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm curious about the resolution of bug #1780617 [0],
>>>>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>>>>
>>>>> The bug was filed in response to a recent change in GnuPG that made gpg
>>>>> check for integrity errors ("MDC errors") in encrypted archives by
>>>>> default, and to consider integrity errors to be a hard failure.
>>>>>
>>>>> This change in GnuPG caused a test failure in Duplicity, and the
>>>>> response was to unconditionally ignore the result of the integrity
>>>>> check. [1]
>>>>>
>>>>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>>>>> and/or sign these archives, they will be safe from spying and/or
>>>>> modification by the server."
>>>>>
>>>>> I don't fully understand the impact of this change on Duplicity, or how
>>>>> Duplicity stores and authenticates its archives. How does Duplicity
>>>>> protect against modification of backup archives?
>>>>>
>>>>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>>>>
>>>>> [1]
>>>>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
>>>>> _______________________________________________
>>>>> Duplicity-talk mailing list
>>>>> [hidden email]
>>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Duplicity-talk mailing list
>>>> [hidden email]
>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>
>>>
>>
>> _______________________________________________
>> Duplicity-talk mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>
>
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
Vera,

don't hesitate to create it. it's a standard config file
  https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html

..ede/duply.net

On 21.02.2019 17:12, Vera Schmidt wrote:

> Hi Edgar,
>
> there is no file gpg-agent.conf in the profile folder .gnupg
> Seachfing for gpg-agent.conf I could only find a file /var/lib/dpkg/info/gpg-agent.conffiles which seems to be something different.
>
> In .gnupg are the files
> private-keys-v1.d  random_seed  S.gpg-agent.browser  trustdb.gpg
> pubring.gpg        secring.gpg  S.gpg-agent.extra
> pubring.gpg~       S.gpg-agent  S.gpg-agent.ssh
>
> Vera
>
> Am 20.02.19 um 17:41 schrieb edgar.soldin--- via Duplicity-talk:
>> thats most likely no MDC issue.
>>
>> you probably used gpg 1.x before.
>>
>> since gpg 2.1 some config is needed to convince gpg to accept piped in passphrases. see
>> https://lists.launchpad.net/duplicity-team/msg02653.html
>>
>> essentially you need
>>
>> 1.
>> to add the line
>>
>> allow-loopback-pinentry
>>
>> to '.gnupg/gpg-agent.conf' in the users home folder that runs the backup.
>>
>> 2.
>> add
>>
>> GPG_OPTS='--pinentry-mode loopback'
>>
>> to your duply conf file
>>
>>
>> good luck ..ede/duply.net
>>
>>
>> On 20.02.2019 14:32, Vera Schmidt via Duplicity-talk wrote:
>>> Hi Edgar,
>>>
>>> gpg (GnuPG) 2.2.4
>>> libgcrypt 1.8.1
>>>
>>> duplicity 0.7.17
>>>
>>> Vera
>>>
>>> Am 20.02.19 um 12:42 schrieb [hidden email]:
>>>> hi Vera,
>>>>
>>>> please state your duplicity and gpg versions.
>>>>
>>>> ..ede/duply.net
>>>>
>>>> On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:
>>>>> Hi,
>>>>>
>>>>> I changed my OS to next Ubuntu LTS 18.04.
>>>>> First trial to use duplicity after some month with images ended with an error - and I am not sure if the problem fits to the Duplicity-talk mails below concerning GnuPG MDC errors.
>>>>>
>>>>> If it is the same problem: Can somebody tell me how to turn off MDC via gpg options? Or where to get the information?
>>>>>
>>>>> Anyhow: Would be nice to get any tips.
>>>>> Thanks alot in advance
>>>>>
>>>>> Vera
>>>>>
>>>>>
>>>>> Encryption failed (Code 2).
>>>>> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis `/home/XXXX/.gnupg'
>>>>> gpg: "YYYYYYYY" wird als voreingestellter geheimer Signaturschlüssel benutzt
>>>>> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
>>>>> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
>>>>> [GNUPG:] BEGIN_SIGNING H8
>>>>> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 - xterm-256color :0
>>>>> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
>>>>> [GNUPG:] BEGIN_ENCRYPTION 2 9
>>>>> [GNUPG:] FAILURE sign-encrypt 83918950
>>>>> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
>>>>>
>>>>> Hint:
>>>>>     This error means that gpg is probably misconfigured or not working
>>>>>     correctly. The error message above should help to solve the problem.
>>>>>     However, if for some reason duply should misinterpret the situation you
>>>>>     can define GPG_TEST='disabled' in the conf file to bypass the test.
>>>>>     Please do not forget to report the bug in order to resolve the problem
>>>>>     in future versions of duply.
>>>>>
>>>>>
>>>>>
>>>>> -------- Weitergeleitete Nachricht --------
>>>>> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
>>>>> Datum: Wed, 5 Sep 2018 15:42:21 -0500
>>>>> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
>>>>> Antwort an: Discussion about duplicity backup <[hidden email]>
>>>>> An: Discussion about duplicity backup <[hidden email]>
>>>>> Kopie (CC): Kenneth Loafman <[hidden email]>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Prior to GNUpg 2.2.8, the MDC (modify detection code) was optional.  Now
>>>>> it's on by default.  Duplicity does a hash of the entire file so the MDC is
>>>>> duplication of effort.  Plus the effort is difficult when maintaining
>>>>> backwards compatibility.  I decided that other development was more
>>>>> important at this time, so turned off MDC via gpg options and got rid of
>>>>> the problem.  You are still protected by the hash stored in the manifest.
>>>>>
>>>>> ...Thanks,
>>>>> ...Ken
>>>>>
>>>>>
>>>>> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
>>>>> [hidden email]> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm curious about the resolution of bug #1780617 [0],
>>>>>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>>>>>
>>>>>> The bug was filed in response to a recent change in GnuPG that made gpg
>>>>>> check for integrity errors ("MDC errors") in encrypted archives by
>>>>>> default, and to consider integrity errors to be a hard failure.
>>>>>>
>>>>>> This change in GnuPG caused a test failure in Duplicity, and the
>>>>>> response was to unconditionally ignore the result of the integrity
>>>>>> check. [1]
>>>>>>
>>>>>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>>>>>> and/or sign these archives, they will be safe from spying and/or
>>>>>> modification by the server."
>>>>>>
>>>>>> I don't fully understand the impact of this change on Duplicity, or how
>>>>>> Duplicity stores and authenticates its archives. How does Duplicity
>>>>>> protect against modification of backup archives?
>>>>>>
>>>>>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>>>>>
>>>>>> [1]
>>>>>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308
>>>>>> _______________________________________________
>>>>>> Duplicity-talk mailing list
>>>>>> [hidden email]
>>>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Duplicity-talk mailing list
>>>>> [hidden email]
>>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Duplicity-talk mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>>
>> _______________________________________________
>> Duplicity-talk mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Encryption failed (Code 2)

duplicity-talk mailing list
In reply to this post by duplicity-talk mailing list
Hi,

I generated the file gpg-agent.conf with the allow-loopback-line in
.gnupg and added the GPG_OPTS in my conf file and everything works

Thank you Edgar

Vera

Am 21.02.19 um 17:12 schrieb Vera Schmidt via Duplicity-talk:

> Hi Edgar,
>
> there is no file gpg-agent.conf in the profile folder .gnupg
> Seachfing for gpg-agent.conf I could only find a file
> /var/lib/dpkg/info/gpg-agent.conffiles which seems to be something
> different.
>
> In .gnupg are the files
> private-keys-v1.d  random_seed  S.gpg-agent.browser  trustdb.gpg
> pubring.gpg        secring.gpg  S.gpg-agent.extra
> pubring.gpg~       S.gpg-agent  S.gpg-agent.ssh
>
> Vera
>
> Am 20.02.19 um 17:41 schrieb edgar.soldin--- via Duplicity-talk:
>> thats most likely no MDC issue.
>>
>> you probably used gpg 1.x before.
>>
>> since gpg 2.1 some config is needed to convince gpg to accept piped in
>> passphrases. see
>> https://lists.launchpad.net/duplicity-team/msg02653.html
>>
>> essentially you need
>>
>> 1.
>> to add the line
>>
>> allow-loopback-pinentry
>>
>> to '.gnupg/gpg-agent.conf' in the users home folder that runs the backup.
>>
>> 2.
>> add
>>
>> GPG_OPTS='--pinentry-mode loopback'
>>
>> to your duply conf file
>>
>>
>> good luck ..ede/duply.net
>>
>>
>> On 20.02.2019 14:32, Vera Schmidt via Duplicity-talk wrote:
>>> Hi Edgar,
>>>
>>> gpg (GnuPG) 2.2.4
>>> libgcrypt 1.8.1
>>>
>>> duplicity 0.7.17
>>>
>>> Vera
>>>
>>> Am 20.02.19 um 12:42 schrieb [hidden email]:
>>>> hi Vera,
>>>>
>>>> please state your duplicity and gpg versions.
>>>>
>>>> ..ede/duply.net
>>>>
>>>> On 20.02.2019 12:37, Vera Schmidt via Duplicity-talk wrote:
>>>>> Hi,
>>>>>
>>>>> I changed my OS to next Ubuntu LTS 18.04.
>>>>> First trial to use duplicity after some month with images ended
>>>>> with an error - and I am not sure if the problem fits to the
>>>>> Duplicity-talk mails below concerning GnuPG MDC errors.
>>>>>
>>>>> If it is the same problem: Can somebody tell me how to turn off MDC
>>>>> via gpg options? Or where to get the information?
>>>>>
>>>>> Anyhow: Would be nice to get any tips.
>>>>> Thanks alot in advance
>>>>>
>>>>> Vera
>>>>>
>>>>>
>>>>> Encryption failed (Code 2).
>>>>> gpg: WARNUNG: Unsicheres Besitzverhältnis des Home-Verzeichnis
>>>>> `/home/XXXX/.gnupg'
>>>>> gpg: "YYYYYYYY" wird als voreingestellter geheimer
>>>>> Signaturschlüssel benutzt
>>>>> [GNUPG:] KEY_CONSIDERED ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ A
>>>>> [GNUPG:] KEY_CONSIDERED CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC B
>>>>> [GNUPG:] BEGIN_SIGNING H8
>>>>> [GNUPG:] PINENTRY_LAUNCHED 7172 gnome3:curses 1.1.0 -
>>>>> xterm-256color :0
>>>>> gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control)
>>>>> für das Gerät
>>>>> [GNUPG:] BEGIN_ENCRYPTION 2 9
>>>>> [GNUPG:] FAILURE sign-encrypt 83918950
>>>>> gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL
>>>>> (I/O-Control) für das Gerät
>>>>>
>>>>> Hint:
>>>>>     This error means that gpg is probably misconfigured or not working
>>>>>     correctly. The error message above should help to solve the
>>>>> problem.
>>>>>     However, if for some reason duply should misinterpret the
>>>>> situation you
>>>>>     can define GPG_TEST='disabled' in the conf file to bypass the
>>>>> test.
>>>>>     Please do not forget to report the bug in order to resolve the
>>>>> problem
>>>>>     in future versions of duply.
>>>>>
>>>>>
>>>>>
>>>>> -------- Weitergeleitete Nachricht --------
>>>>> Betreff: Re: [Duplicity-talk] Ignoring GnuPG MDC errors
>>>>> Datum: Wed, 5 Sep 2018 15:42:21 -0500
>>>>> Von: Kenneth Loafman via Duplicity-talk <[hidden email]>
>>>>> Antwort an: Discussion about duplicity backup
>>>>> <[hidden email]>
>>>>> An: Discussion about duplicity backup <[hidden email]>
>>>>> Kopie (CC): Kenneth Loafman <[hidden email]>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Prior to GNUpg 2.2.8, the MDC (modify detection code) was
>>>>> optional.  Now
>>>>> it's on by default.  Duplicity does a hash of the entire file so
>>>>> the MDC is
>>>>> duplication of effort.  Plus the effort is difficult when maintaining
>>>>> backwards compatibility.  I decided that other development was more
>>>>> important at this time, so turned off MDC via gpg options and got
>>>>> rid of
>>>>> the problem.  You are still protected by the hash stored in the
>>>>> manifest.
>>>>>
>>>>> ...Thanks,
>>>>> ...Ken
>>>>>
>>>>>
>>>>> On Tue, Sep 4, 2018 at 5:45 PM Leo Famulari via Duplicity-talk <
>>>>> [hidden email]> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm curious about the resolution of bug #1780617 [0],
>>>>>> "test_sigchain_fileobj test fails when GnuPG >= 2.2.8".
>>>>>>
>>>>>> The bug was filed in response to a recent change in GnuPG that
>>>>>> made gpg
>>>>>> check for integrity errors ("MDC errors") in encrypted archives by
>>>>>> default, and to consider integrity errors to be a hard failure.
>>>>>>
>>>>>> This change in GnuPG caused a test failure in Duplicity, and the
>>>>>> response was to unconditionally ignore the result of the integrity
>>>>>> check. [1]
>>>>>>
>>>>>> The Duplicity web page says, "Because duplicity uses GnuPG to encrypt
>>>>>> and/or sign these archives, they will be safe from spying and/or
>>>>>> modification by the server."
>>>>>>
>>>>>> I don't fully understand the impact of this change on Duplicity,
>>>>>> or how
>>>>>> Duplicity stores and authenticates its archives. How does Duplicity
>>>>>> protect against modification of backup archives?
>>>>>>
>>>>>> [0] https://bugs.launchpad.net/duplicity/+bug/1780617
>>>>>>
>>>>>> [1]
>>>>>> https://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/revision/1308 
>>>>>>
>>>>>> _______________________________________________
>>>>>> Duplicity-talk mailing list
>>>>>> [hidden email]
>>>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Duplicity-talk mailing list
>>>>> [hidden email]
>>>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Duplicity-talk mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>>
>> _______________________________________________
>> Duplicity-talk mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>>
>
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk