[rt-users] GPG inbound decrypt/verify problems in RT 3.8.1

Tim Wilde tim at krellis.org
Thu Sep 4 10:57:16 EDT 2008 

Greetings all!

I've been running into a very strange decrypt/verify problem with
inbound GPG mail in RT 3.8.1.  The problem seems to be the same with
both PGP/MIME and inline PGP, though I've been mostly testing with
inline PGP.  RT gets the inbound message, and all of the GPG
infrastructure appears to be set up correctly, but encrypted messages
get "NODATA 1" and "NODATA 2" back from GPG, and signed-only messages
get "BADSIG" back.  However, when I look in /tmp, I can see the temp
files that RT creates with the appropriate body parts (based on their
contents and the timestamps), and when I pass them through command-line
gpg, using the same homedir and other options that I pass in my RT
config, it can decrypt/verify them just fine!

As far as I can tell from some testing, it seems that something wonky is
happening with the file handles that are getting passed around - I just
can't figure out what!  If I strip out even one character from those
temp files I found, and run them through command-line gpg, I get the
same results that RT gets.

I have verified that GPG encryption works outbound - I can send an
encrypted message from the queue, and it is encrypted with the
appropriate keys.

RT is 3.8.1, GnuPG::Interface is 0.36, gpg is 1.2.6 (working on getting
that upgraded, though it doesn't seem a likely culprit), Apache is
2.2.9, mod_perl is 2.0.

GnuPG options in RT_SiteConfig.pm:

Set( %GnuPG,
    Enable=>1,
    OutgoingMessagesFormat=>'RFC',
    AllowEncryptDataInDB=>0,
);
Set( %GnuPGOptions,
    'passphrase'=>'mypassphrasehere',
    'no-permission-warning'=>undef,
    'homedir'=>'var/data/gpg',
);
Set(@MailPlugins, 'Auth::MailFrom', 'Auth::GnuPG',
);

My GPG keyrings are in var/data/gpg relative to the RT root, and all my
command-line testing of temp files has used those same keyrings for
consistency.

Debug log entries from encrypted inbound message:

[Thu Sep  4 14:35:03 2008] [debug]: Found encrypted inline part
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:883)
[Thu Sep  4 14:35:03 2008] [debug]: [GNUPG:] NODATA 1
[GNUPG:] NODATA 2
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:1313)
[Thu Sep  4 14:35:03 2008] [error]: gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: eof
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:1315)
[Thu Sep  4 14:35:03 2008] [debug]: Found GnuPG protected parts
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:234)
[Thu Sep  4 14:35:03 2008] [debug]: Error during verify/decrypt
operation
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:238)
[Thu Sep  4 14:35:03 2008] [error]: Had a problem during decrypting and
verifying
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:97)
[Thu Sep  4 14:35:03 2008] [error]: Couldn't process a message: No data
has been found. The reason is 'No armored data', No data has been found.
The reason is 'Expected a packet, but did not found one'
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:204)
[Thu Sep  4 14:35:04 2008] [debug]: Converting 'ISO-8859-1' to 'utf-8'
for text/plain - encrypted test
(/usr/local/rt-3.8.1/bin/../lib/RT/I18N.pm:231)

Same debug log section from signed inbound message:

[Thu Sep  4 14:35:37 2008] [debug]: Found signed inline part
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:883)
[Thu Sep  4 14:35:37 2008] [debug]: [GNUPG:] BADSIG 96E45B46redacted Tim
Wilde <twilde at redacted>
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:1313)
[Thu Sep  4 14:35:37 2008] [error]: gpg: Signature made Thu Sep  4
14:35:35 2008 GMT using DSA key ID redacted
gpg: BAD signature from "Tim Wilde <twilde at redacted>"
(/usr/local/rt-3.8.1/bin/../local/lib/RT/Crypt/GnuPG.pm:1315)
[Thu Sep  4 14:35:37 2008] [debug]: Found GnuPG protected parts
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:234)
[Thu Sep  4 14:35:37 2008] [debug]: Error during verify/decrypt
operation
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:238)
[Thu Sep  4 14:35:37 2008] [error]: Had a problem during decrypting and
verifying
(/usr/local/rt-3.8.1/bin/../lib/RT/Interface/Email/Auth/GnuPG.pm:97)
[Thu Sep  4 14:35:37 2008] [debug]: Converting 'ISO-8859-1' to 'utf-8'
for text/plain - Subjectless message
(/usr/local/rt-3.8.1/bin/../lib/RT/I18N.pm:231)

Note that the second message did have a subject, "signed test", I don't
know if the fact that RT thinks it was subjectless is relevant or not.

Is it possible that all of this has something to do with specifying the
passphrase in the config (verified multiple times to be the correct
passphrase for the secret key for the queue, by the way) rather than
using the agent?

Based on the other threads here in the archives, I hope this is all the
information needed to take a peek at this.  Again, for both of the
specific messages for which I pasted debug entries here, I have files in
/tmp with the exact body content, which, when passed in to command-line
gpg, work just fine.  I'm at my wit's end, to be honest - any help or
suggestions?

Thanks,
Tim Wilde

More information about the rt-users mailing list