Menu

No matching private/secret key found to decrypt message for specific contact

Enigmail Support
Sedriel
2018-04-28
2018-05-01

  • Sedriel

    Sedriel - 2018-04-28

    Hi there,

    I tried to read/decrypt emails from a specific contact. The decryption fails withe the error message "no matching private/secret key found to decrypt message" whether I try to decrypt the latest emails or the very oldest ones.

    I already tested several scenarios suggest by other threads covering similar topics. The boundary conditions of my problem are the following:

    • Only this specific contact is affected by the problem.
    • Encrypted communication worked fine until my recent attempt (guessed latest working decryption: 03.08.2017, first not working decryption 25.04.2018).
    • I can send myself encrypted emails and I am able to decrypt them whether I send them from the same/affected email account or a different one.
    • I have only one key pair associated with the affected email account.
    • I never changed my key pair since my first communication with that contact.
    • The finger print of the public key used for encryption corresponds always to the key pair associated with the affected email account.
    • I am able to decrypt the emails manually with GnuPG but the automatic decryption with Enigmail inside Thunderbird fails with the mentioned error message.

    I find this behavior very puzzling. I am grateful for hints into the right direction for solving this problem.

    Versions:
    Thunderbird: 52.7.0
    Engimail: 2.0.2
    GnuPG: 2.2.6

     

    Last edit: Sedriel 2018-04-29

  • Patrick Brunschwig

    Patrick Brunschwig - 2018-04-29

    There are two reasons for this:

    1. you use a different version of GnuPG on the command line than in Enigmail. GnuPG changed the way how secret keys are stored between 2.0.30 and 2.1.0. For example if you use gpg 1.4.x on the command line and 2.2.6 in Enigmail (or vice versa), then they will use different files for storing the secret key.
    2. You use a different GNUPGHOMEDIR on the command line than in Enigmail.
     

  • Sedriel

    Sedriel - 2018-04-29

    Thank you for your reply Patrick.

    I checked your suggestions:

    1. Enigmail uses /usr/bin/gpg which is the same binary I use on the command line.
    2. The GNUPGHOMEDIR I use with Enigmail and on the command line are identical. (I didn't know how to look it up directly so I created a new key pair on the command line and it showed up in the Enigmail key management. Additionally I checked that the fingerprint of the key pair associated with the email identity in question is the same, whether I look it up on the command line or in the Enigmail key management.)

    Is it possible that Enigmail and "plain" GnuPG parse the encrypted emails in different ways? If this would be the case, it might be that Enigmail encounters some kind of error before it recognises which private key to use for decryption.

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2018-04-30

    The question is then if the particular message(s) are encrypted to you at all. The problem could also be on the sender's side.

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2018-04-30

    If you attach a debug log after an attempt to decrypt the message, I can tell you more. See https://enigmail.net/index.php/en/faq-en?view=topic&id=15

     

  • Sedriel

    Sedriel - 2018-04-30

    The question is then if the particular message(s) are encrypted to you at all.

    Not sure if I got you correct here, but I am convinced that the messages are encrypted to me.

    • The messages are encrypted since they are represented by non plain text before decryption.
    • The messages are encrypted to me since I am able to decrypt them with one of my private keys on the command line.

    The problem could also be on the sender's side.

    Mh. Good point. The sender is a corporation which uses some special software to handle the email traffic. This software might do some weird magic I/we are not aware of. It is curious though that I am not able to decrypt old messages from that sender with Enigmail. As I mentioned before, encrypted communication worked in the past. Thus even if the sender changed anything, I would assume that I would be able to decrypt old messages if this problem would be solely related to the sender's side.

    Nevertheless I attached a log file of a failed decryption attempt with Enigmail. I hope that helps. Thank you for your effort.

     

    Last edit: Sedriel 2018-04-30

  • Patrick Brunschwig

    Patrick Brunschwig - 2018-05-01

    OK, the problem is not related to your secret key or the passphrase. The message lacks security protection (MDC), which is considered a security error and therefore decryption fails. This was introduced with Enigmail 1.9.9. It needs to be fixed by the sender, see for example here: https://lists.gnupg.org/pipermail/gnupg-users/2013-January/045981.html

    Unlike that posting stipulates, this is considered harmful these days, as it allows attackers to easier fake messages.

    The message that Enigmail displays is wrong - Enigmail is confused by the strange output from GnuPG.

     

  • Sedriel

    Sedriel - 2018-05-01

    I see. I will notify the sender. Thank you very much Patrick. You were really a big help.

    PS: I removed the attached log file from my previous post for privacy reasons. If you think this is bad style since others could somehow profit from it, please tell me. In this case, I will upload an altered version (without the sender's or my e-mail addresses or key fingerprints).

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.