Menu

Key Generation Fails, no error in Log

Enigmail Support
Daniel Sokolov
2020-06-11
2020-06-19

  • Daniel Sokolov

    Daniel Sokolov - 2020-06-11

    Hello,

    I have trouble generating a new pair of keys with Enigmail 2.16 in
    Thunderbird 68.8.0 64 bit on Linux Mint 18.3 64 bit.

    I get this error message about 1 second after I click to confirm that I,
    indeed, want to generate a new key pair:

    "The key generation failed. Please check the Enigmail console (Menu
    Enigmail > Debugging Options) for details."

    The console, however, only contains the following, and I don't see any
    error message or other helpful "details" there:

    /usr/bin/gpg2 --charset utf-8 --display-charset utf-8
    --no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2
    --gen-key%echo Generating key
    Key-Type: EDDSA
    Key-Curve: Ed25519
    Key-Usage: sign
    Subkey-Type: ECDH
    Subkey-Curve: Curve25519
    Subkey-Usage: encrypt
    Name-Real: [name]
    Name-Email: [email]
    Expire-Date: 0

    How may I find out why the key generation fails?

    I have tried going with the default expiry of 5 years, but that doesn't
    help. The only thing that changes is the last line in the console:

    Expire-Date: 1825

    TNX
    Daniel

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2020-06-11

    I'd recommend the Debugging Log, not the Console .

    Menu Enigmail > Debugging Options -> View Log.

     

  • Daniel Sokolov

    Daniel Sokolov - 2020-06-12

    Aha! Thank you.

    2020-06-11 17:13:14.873 [DEBUG] keyRing.jsm: generateKey: subprocess = [object Object]
2020-06-11 17:13:14.873 enigmailKeygen.js: Start: gKeygenRequest = [object Object]
2020-06-11 17:13:14.957 [DEBUG] enigmailKeygen.js: onDataAvailable() gpg: Generating key

2020-06-11 17:13:15.233 [DEBUG] enigmailKeygen.js: onDataAvailable() gpg: agent_genkey failed: Invalid flag
gpg: key generation failed: Invalid flag
[GNUPG:] ERROR key_generate 16777288
[GNUPG:] KEY_NOT_CREATED 
gpg: done

    How do I find out which flag is invalid and how do I fix it?

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2020-06-12

    This is the 1st time I see such an error. I'll ask for advice with GnuPG developers.

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2020-06-12

    The GnuPG developers told me that most likely the crypto-library used by GnuPG is too old for using ellipitc curve algorithms. You can check the used version on the command line by typing:

    gpg --version

    I recommend that you create an RSA key (in key generation, in the Advanced tab).

     

  • Daniel Sokolov

    Daniel Sokolov - 2020-06-18

    Thank you very much. RSA seems to work.
    I'll also check why we don't automatically get a newer GnuPG on Linux Mint.

     

  • Daniel Sokolov

    Daniel Sokolov - 2020-06-18

    Oh, it turns out I had both the old version (required for the operation of Linux Mint) and the new version (package gpg2) all time long.

    I read on the Linux Mint forum that Enigmail is supposed to find the new version automatically, and in the Enigmail settings it says "GnuPG was found in /usr/bin/gpg2" (I checked, it is there).

    But at least when it comes to key generation, Enigmail seems to use gpg instead of gpg2?
    What to do about that?

    daniel@xxx ~ $ gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

    Thank you.

     

    Last edit: Daniel Sokolov 2020-06-18

  • Patrick Brunschwig

    Patrick Brunschwig - 2020-06-18

    Enigmail is using gpg2 (GnuPG version 2.1.11).

    The problem is not GnuPG itself, but libgcrypt (which does the crypto-work in GnuPG). You have libgcrypt version 1.6.5, but ECC keys are only supported as of version 1.8. The question is: why do you have such an old version of libgcrypt with a (relatively) new version of GnuPG?

     

  • Daniel Sokolov

    Daniel Sokolov - 2020-06-18

    I do not know. Updates come automatically, and according to the Synaptic Package Manager I have the latest version. The most recent update is from January:

    libgcrypt20 (1.6.5-2ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: ECDSA timing attack
    - debian/patches/CVE-2019-13627.patch: add mitigation against timing
      attack in cipher/ecc-ecdsa.c, mpi/ec.c.
    - CVE-2019-13627

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 13 Jan 2020 13:39:58 -0500
     

  • Patrick Brunschwig

    Patrick Brunschwig - 2020-06-19

    Well yes. It's just an old version that doesn't support ECC keys, no matter which version of GnuPG you have ... There is not much that we can do about it.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.