Upgraded gpg and now gpg fails under enigmail but works at the command prompt
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
Machine is running Windows 7.
Thunderbird Version 31.5.0
Enigmail 1.8.1 (I upgraded but failure also happened under 1.8).
I had been running GPG 1.4.11, but in response to the popup warnings from Enigmail I upgraded gpg to gpg (GnuPG) 2.0.27 (Gpg4win 2.2.4).
Now most gpg operations from enigmail fail, the simplest to replicate being selecting "Key Management" from the menu in Thunderbird, which gives an error popup with the following text:
Error - encryption command failed
"C:\Program Files (x86)\GNU\GnuPG\pub\gpg2.exe" --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-keys
gpg: Oops: keyid_from_fingerprint: no pubkey
gpg: Note: signatures using the MD5 algorithm are rejected
However, if I open a cmd window and paste the exact same gpg command it returns the expected key listing. So I'm assuming that there is some environment issue such that gpg when invoked by enigmail is not finding the gnupg configuration folder, which is in the default location on my machine "C:\Users\<user>\AppData\Roaming\gnupg", but don't know were to debug further...</user>
Any suggestions?
If you encounter issues after an upgrade to GnupG 2.0.27 (e.g. by installing Gpg4Win 2.2.4) throwing "Note: signatures using the MD5 algorithm are rejected", then you need to identify and delete these old keys (please do that) or tell GnuPG to ignore weak digest algos (ugly workaround).
One symptom for this is that most Enigmail operations (including the listing of keys in key manager) fail since GnuPG 2.0.27 errors out and makes Enigmail think there is a serious error and no usable output.
As a first aid, you may open Enigmail -> Preferences. Ensure the "Advanced" tab is shown. If not, click on "Show Expert Settings and Menues". Select the "Advanced" tab. Put the following in the field "Additional parameters for GnuPG":
--allow-weak-digest-algos
Click on "Ok". This restores the behaviour of GnuPG 2.0.26 in this respect. Enigmail should run fine again. Alternatively, you may set that option globally in your gpg.conf. BUT: Both are a first aid only! You really should stop using keys using MD5.
I found a "method" to search for such keys. I definitely don't know whether this is correct, but what I did is
This seemes to list all affected keys. Don't ask me why. I stumbled upon it while I got displayed keys with FPR all zero. So I exported these keys to be able to roll back ...
... and deleted them manually by executing this as long as it still found some:
After that cleanup, I had no more errors even without allow-weak-digest-algos .
Indeed that was the issue, thanks.
The confusing bit is that gnupg only sort of "errors out", I'll take your word for it that it's returning non-zero status, but the fact that the listing was totally lost misled me.
Now to sort through the old keys and figure out want may actually be needed again someday and what won't.
PS: I think that the statement that "MD5 should be considered weak" is a bit of an overstatement.