Parallel decrypts fail in 2.1.19
Michael Smith
michaels at syapse.com
Thu Mar 23 02:32:17 CET 2017
We use gpg extensively, particularly as a part of salt-ssh. Lately,
salt-ssh runs against multiple instances have begun to fail in
rendering gpg-encrypted data. Looking into it, I learned that running
one gpg -d at a time works without any problem, but several runs in
parallel fail.
1. I create a file encrypted to myself. (I'm the default recipient.)
$ gpg -qeo junk <<< junk
2. I can decrypt the file if it's in a single run.
$ gpg -qd junk
junk
3. I cannot decrypt the junk with 10 runs in parallel. (Pinentry opens
during this run.)
$ yes junk | head -n10 | xargs -n1 -P10 gpg -qd
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
4. gpg-agent is no longer running
So...
I threw these options into ~/.gnupg/gpg-agent.log:
debug-pinentry
debug-level guru
log-file /tmp/agent.log
debug 1024
verbose
And tried the above again. This bit caught my eye:
2017-03-22 21:25:13 gpg-agent[3624] Warning: using insecure memory!
56ab56...
2017-03-22 21:25:14 gpg-agent[3624] DBG: rsa_decrypt res: [out of core]
2017-03-22 21:25:14 gpg-agent[3624] Ohhhh jeeee: ... this is a bug
(sexp.c:1433:do_vsexp_sscan)
I searched for that output online and came across this message:
https://lists.gnutls.org/pipermail/gnupg-devel/2017-January/032489.html
The description there matches my experience, but that particular
double free seems to have been resolved already in 2.1.18, so I guess
I'm seeing a new bug. Has anyone come across this?
$ gpg --version
gpg (GnuPG) 2.1.19
libgcrypt 1.7.6
- Michael A. Smith
More information about the Gnupg-users
mailing list