PGP decryption no longer works
Kevin J. McCarthy
kevin at 8t8.us
Tue Jun 26 16:31:23 UTC 2018
On Tue, Jun 26, 2018 at 08:08:10AM -0400, Vincent Lefevre wrote:
> On 2018-06-25 14:02:33 -0700, Kevin J. McCarthy wrote:
> > On Mon, Jun 25, 2018 at 04:39:19PM -0400, Vincent Lefevre wrote:
> > > It seems that a recent change has broken PGP decryption:
> > > I now get a failure from gnupg. No issues with Mutt from
> > > Debian/unstable.
> > >
> > > I don't have the time for the moment to look at this more closely.
> >
> > Vincent, would you mind invoking debug '-d 2' and posting the section
> > starting with 'pgp_check_decryption_okay:'?
>
> There's no such section, but:
>
> [...]
> [2018-06-26 08:03:54] parse_parameter: `filename' = `msg.asc'
> [2018-06-26 08:03:56] mutt_pgp_command: gpg --passphrase-fd 0
> --no-verbose --batch -o -
> /var/tmp/mutt-zira-1000-10409-1833246164453793250
It looks like you may have customized the $pgp_decrypt_command. Mutt
expects '--status-fd=2' to be in there so it can read the status output
from gpg.
The next stable release (1.10.1) will contain a new option,
$pgp_check_gpg_decrypt_status_fd, by default set, that scans the control
channel to check spoofed encrypted emails. See
<https://gitlab.com/muttmua/mutt/issues/39>.
If you don't want to scan, you should turn off
$pgp_check_decrypt_status_fd.
The '--no-verbose' option listed in contrib/gpg.rc is also very
important, and protects against a status-fd injection attack. This is
fixed by the most recent release of gpg2, but I recommend leaving it in.
--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-dev/attachments/20180626/2992c95d/attachment.asc>
More information about the Mutt-dev
mailing list