Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to decrypt with gnupg 2.2.4 #10

Open
sherzberg opened this issue May 3, 2018 · 6 comments
Open

Failed to decrypt with gnupg 2.2.4 #10

sherzberg opened this issue May 3, 2018 · 6 comments

Comments

@sherzberg
Copy link

sherzberg commented May 3, 2018
edited
Loading

I don't think this is an issue with this terraform provider, but I opened a ticket here first because it is easily reproducible with a simple terraform config. Mainly wanted to drop it here to see if anyone else has run into this issue.

Given a sufficiently large set of pass secrets to refresh, we get failed to decrypt errors on plans. This only seems to happen on > 2.1 gnupg. We have tried several version of terraform and gnupg, but our testing seems to point to gnupg > 2.1.

Here is some terraform that will replicate the behavior.

provider "pass" {
  refresh_store = false
}

data "pass_password" "dummy" {
  path = "dummy/dummy-${count.index + 1}"

  count = "100"
}

We consisitently get something like this:

Error: Error refreshing state: 1 error(s) occurred:

* data.pass_password.dummy: 23 error(s) occurred:

* data.pass_password.dummy[46]: data.pass_password.dummy.46: failed to read password at dummy/dummy-47: Failed to decrypt
* data.pass_password.dummy[12]: data.pass_password.dummy.12: failed to read password at dummy/dummy-13: Failed to decrypt
<redacted more errors>

Software versions:

gpg (GnuPG) 2.2.4
Terraform v0.11.7
terraform-provider-pass 1.0.1
@dragon788
Copy link

This will quickly become a more common issue as the latest Fedora and Ubuntu will likely be using these newer versions, though perhaps it will get patched on the gnupg side soon.

@dragon788
Copy link

This appears to have a potential fix in a newer libgcrypt versions, but I'm not sure how those interact with the pass/gopass implementations.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882985

@mcanevet
Copy link
Contributor

mcanevet commented Jul 3, 2018

This is weird, I'm on Debian sid with gpg 2.2.8 and I don't have any issue...

@wsandin
Copy link

wsandin commented Jul 17, 2018
edited
Loading

@sherzberg Tried to enable auto expand of secmem?

echo "auto-expand-secmem 0x30000" >> $GNUPGHOME/gpg-agent.conf

@xsnrg
Copy link

xsnrg commented Aug 27, 2018

I seem to be having this problem on a regular basis. I am running Fedora 28 with the following versions:

gnupg2 2.2.8
Terraform v0.11.7
terraform-provider-pass 1.1.0

@wsandin, I have tried the auto expand, but it does not seem to make any difference. Thank you for the suggestion.

@sherzberg
Copy link
Author

@wsandin sorry for the delay. I'm back on this now since I have just move to a new laptop. The suggestion you gave did not seem to help. Any other suggestions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sherzberg @dragon788 @xsnrg @mcanevet @wsandin