website/blog/2017/11/17/pass.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Pass Says I Have No Secret Key</title>
<link rel="shortcut icon" href="/csh/favicon.ico" type="image/x-icon"/>
<link rel="stylesheet" type="text/css" href="/csh/stylesheet.css"/>
</head>

<body>
<header>
  <p><a href="/csh"><img src="/csh/homeicon" alt="csh"/></a></p>
</header>

<h1>Pass Says I Have No Secret Key</h1>
<p>
  A while ago, I moved to another GNU+Linux distribution and took my
  files with me.  I put all my important files in a tarball and
  extracted them onto the new system in their respective places.
  Someone said moving my GPG dir could be the problem.</p>
<p>
  I'm new to Pass.  Before switching to it, I
  used <a href="https://getvau.lt/">Vault</a> to generate my
  passwords.  In fact, all my current passwords are still generated by
  it.  But, I put them in Pass too.  So, I'm not losing anything by
  using Pass... yet.  That said, I'd still like to fix the
  problem before it becomes serious.</p>
<p>
  Note: my private key <em>does</em> work in both Evolution and the
  plain command line interface to GPG.</p>

<p>
  I went to #pass on Freenode.  Demure linked to
  the <a href="https://wiki.gnupg.org/GnomeKeyring">GnuPG wiki</a>,
  which gave the following solution:</p>
<pre>
sudo dpkg-divert --local --rename \
                 --divert /etc/xdg/autostart/gnome-keyring-gpg.desktop-disable \
                 --add /etc/xdg/autostart/gnome-keyring-gpg.desktop
</pre>
<p>
  Result:</p>
<pre>
Adding 'local diversion of /etc/xdg/autostart/gnome-keyring-gpg.desktop to /etc/xdg/autostart/gnome-keyring-gpg.desktop-disable'
</pre>
<p>
  Even after this, I still get the same error:</p>
<pre>
cal@leela:~$ pass show freepo.st
gpg: WARNING: unsafe permissions on homedir '/home/cal/.gnupg'
gpg: decryption failed: No secret key
</pre>

<p>
  mitfree asked about the file permissions on my GPG directory, to see
  if that was the problem.</p>
<pre>
cal@leela:~$ vdir ~/.gnupg  
lrwxrwxrwx 1 cal cal 20 Oct 25 23:24 /home/cal/.gnupg -> Stow/CRITICAL/.gnupg
</pre>
<p>
  He said this was <q>not safe</q>.</p>
<p>
  I can see why.  Ubuntu lets users see each other's files by default,
  except for a few known important dirs like mail and SSH.  If I had
  multiple users on this system, I'd be in trouble.</p>
<p>
  mitfree linked to
  a <a href="https://superuser.com/questions/954509/what-are-the-correct-permissions-for-the-gnupg-enclosing-folder-gpg-warning#954536">superuser.com
  thread</a> about fixing the file permissions on the GPG directory.
  The following commands were done.</p>
<pre>
chown -R $(whoami) ~/.gnupg/
chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg
</pre>
<p>
  They completed without error.  The permission warning went away, but
  decryption still failed.</p>
<blockquote>
<p>
  Addition: Actually vdir showed that the unix rights on a symbolic link
  (or short "symlink") are lrwxrwxrwx. This is perfectly normal for the
  link itself.
  More important would have been the output for the target directory,
  in this case Stow/CRITICAL/.gnupg.<br>
  However, running chown on the symlink actually changes the rights for
  the target, so the fixed worked in this case, but usually using the
  real path might be a better idea.
</p>
<small class="author">holgersson</small> <!-- https://stackoverflow.com/a/10238819 -->
</blockquote>

<hr/>
<footer>
<p>Last updated: 2017-11-27 10:43:03 CST.</p>
<p>
Copyright 2017 Caleb Herbert under the terms of the
<a href="https://creativecommons.org/licenses/by/4.0/">Attribution
4.0 International</a> license.</p>
</footer>
</body>
</html>