Openpgp: Using python wrapper python-gnupg 'error - sign-encrypt 17' - Error only when signing

799 views Asked by At

For encrypting and signing a message I want to use the python-gnupgp module. The module is a wrapper of gnupgp. The encryption works fine, but if I specify the sign option I get an error.

gpg: WARNING: unsafe permissions on homedir '/home//Programming/GnuPGP/pgphome'\ngpg: Warning: not using 'xxx' as default key: No secret key\ngpg: all values passed to '--default-key' ignored\n[GNUPG:] KEY_CONSIDERED xxx 0\n[GNUPG:] KEY_CONSIDERED AADFCABF9D6B54C7938195737DC2E276767872B0 0\ngpg: no default secret key: No secret key\n[GNUPG:] INV_SGNR 9\n[GNUPG:] FAILURE sign-encrypt 17\ngpg: [stdin]: sign+encrypt failed: No secret key\n"

But I have imported a secret key and want to encrypt using the other_public.asc and sign with my own private key.

I use the module python-openpgp. This is my code:

import gnupg
import os 


pgp_home = os.path.join(os.getcwd(), 'pgphome')
gpg = gnupg.GPG(gnupghome=pgp_home)

cwd = os.getcwd()

own_priv_key_path = os.path.join(cwd, 'assets/keys/own_secret.asc')
own_priv_key_data = open(own_priv_key_path).read()
own_priv_key = gpg.import_keys(own_priv_key_data, passphrase="hellomatthias1")

own_public_key_path = os.path.join(cwd, 'assets/keys/own_public.asc')
own_public_key_data = open(own_public_key_path).read()
own_public_key = gpg.import_keys(own_public_key_data)

other_public_key_path = os.path.join(cwd, 'assets/keys/other_pub.asc')
other_public_key_data = open(other_public_key_path).read()
other_public_key = gpg.import_keys(other_public_key_data)


gpg.trust_keys(own_public_key.fingerprints, trustlevel="TRUST_ULTIMATE")
gpg.trust_keys(own_priv_key.fingerprints, trustlevel="TRUST_ULTIMATE")
gpg.trust_keys(other_public_key.fingerprints, trustlevel="TRUST_ULTIMATE")

dummy_file_path = os.path.join(cwd, 'assets/dummyfiles/hello.txt')
output_file_path = os.path.join(cwd, 'assets/dummyfiles/encrypted_hello.txt')


res = gpg.encrypt("hello how are you", recipients=other_public_key.fingerprints[0], sign=own_priv_key.fingerprints[0], passphrase='passphraseofownprivatekey1')

What am I doing wrong here?

1

There are 1 answers

0
Zilog80 On BEST ANSWER

I guess the problem doesn't come from the code but from the fact that the python-gnupg wrapper uses directly the gpg executable, thus is bound by the gpg executable requirements.

Reading the error messages, you can see that the gpg executable refuses your secret key :

gpg: WARNING: unsafe permissions on homedir '/home//Programming/GnuPGP/pgphome'
gpg: Warning: not using 'xxx' as default key: No secret key
gpg: all values passed to '--default-key' ignored

Gpg requires than the secret keys must be stored in a safe homedir, meaning a homedir with only user access. It seems you have to reduce permissions on the homedir /home//Programming/GnuPGP/pgphome to its own user with the following command :

$ chmod go-rwx /home//Programming/GnuPGP/pgphome

That done, gpg should not ignore your keys anymore.

It could be required to exclude write access, i don't think so but in case of, use then :

$ chmod u-wx,go-rwx /home//Programming/GnuPGP/pgphome