I was running Evolution on Debian buster (testing) amd64 with GnuPG to encrypt mails. I have my GPG private key on a YubiKey actings as GPG smartcard. As Evolution somehow failed to load my calendars using CalDAV, I resetted Evolution. CalDAV is working fine now.
But after the reset another issue appeared: GPG encrypting/signing isn't working anymore. Mails are decrypted without problems.
Furthermore, I can not choose my own GPG key in the account's settings, even if it is imported properly and gets listed in gpg -K:
I'm now able to choose my key.
When I try to send an encryoted mail this fails with Evolution showing the following error:
Could not create message.
You may need to select different mail options.
Detailed error: Failed to encrypt: Invalid recipient <my@mail.address> specified. A common issue is that the gpg2 doesn’t have imported public key for this recipient.
But my public key is imported. The same thing happens when I disable the option Always encrypt to myself when sending encrypted messages with this account. The error then is:
Detailed error: Failed to encrypt: Invalid recipient <recipients@mail.address> specified. A common issue is that the gpg2 doesn’t have imported public key for this recipient.
Encrypting/signing from command line with the gpg command works fine. Using a private key which is not on a smartcard also did not work. Resetting both GPG and Evolution did not work.
I don't have any idea now what I should do now. Thank you all in advance 🙂
EDIT: output of strace -p $(pidof evolution) -f -e trace=execve when decrypting (works fine):
[pid 4613] execve("/usr/local/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--status-fd=66", "--command-fd=67", "--verify-options", "show-photos", "--photo-viewer", "/usr/lib/evolution/camel-gpg-pho"..., "--decrypt", "--output", "-"], [/* 34 vars */]) = -1 ENOENT (No such file or directory)
[pid 4613] execve("/usr/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--status-fd=66", "--command-fd=67", "--verify-options", "show-photos", "--photo-viewer", "/usr/lib/evolution/camel-gpg-pho"..., "--decrypt", "--output", "-"], [/* 34 vars */]) = 0
When encrypting (which fails):
[pid 4537] execve("/usr/local/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--batch", "--yes", "--status-fd=67", "--encrypt", "--armor", "-u", "my@mail.address", "-r", "<recipients@mail.address>", "--output", "-"], [/* 34 vars */]) = -1 ENOENT (No such file or directory)
[pid 4537] execve("/usr/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--batch", "--yes", "--status-fd=67", "--encrypt", "--armor", "-u", "my@mail.address", "-r", "<recipients@mail.address>", "--output", "-"], [/* 34 vars */]) = 0
The file /usr/local/bin/gpg2 doesn't exist and seems not to be part of any Debian package.
EDIT2: The command @Hauke Laging posted in the comments works, but I interactively needed to confirm to execute the action (as it also was when I manually encrypted using the command line):
echo foo | /usr/bin/gpg2 --status-fd=1 --encrypt --armor -u my@mail.address -r recipients@mail.address --output -
While the command which Evolution wants to execute fails (I removed the <> as that causes issues with zsh):
➜ ~ gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=67 --encrypt --armor -u my@mail.address -r recipients@mail.address --output
gpg: Fatal: status-fd is invalid: Bad file descriptor
Setting --status-fd=1 still fails, but with different errors:
➜ ~ echo "foo" | gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=1 --encrypt --armor -u my@mail.address -r recipients@mail.address --output -
[GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
gpg: using pgp trust model
gpg: using subkey <recipient's encryption subkey id> instead of primary key <recipient's primary key id>
[GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
gpg: automatically retrieved 'recipients@mail.address' via Local
gpg: <recipient's encryption subkey id>: There is no assurance this key belongs to the named user
[GNUPG:] INV_RECP 10 recipients@mail.address
[GNUPG:] FAILURE encrypt 53
gpg: [stdin]: encryption failed: Unusable public key
EDIT3: Just tested: signing messages from Evolution works as well as decrypting.
When I manually encrypt a message using the command line, I get the following message which I think causes this issue:
➜ ~ echo "foo" | gpg --encrypt -r recipients@mail.address --armor
gpg: automatically retrieved 'recipients@mail.address' via Local
gpg: <recipient's encryption subkey id>: There is no assurance this key belongs to the named user
sub rsa4096/<recipient's encryption subkey id> 2015-10-14 Recipient's Name <recipients@mail.address>
Primary key fingerprint: <recipient's key fingerprint>
Subkey fingerprint: <recipient's encryption subkey fingerprint>
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----
[...]
-----END PGP MESSAGE-----
EDIT4: As the message above is caused by missing ownertrust (at least I think so), I'd like to set the recipient's ownertrust using gpg --edit-key (which was not set before):
gpg> trust
pub rsa4096/<some key id>
created: <some date in the past> expires: <some date in the future> usage: SCA
trust: unknown validity: unknown
sub rsa4096/<some other key id>
created: <some date in the past> expires: <some date in the future> usage: E
[ unknown] (1). Pecipient's Name <recipients@mail.address>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3
pub rsa4096/<some key id>
created: <some date in the past> expires: <some date in the future> usage: SCA
trust: marginal validity: unknown
sub rsa4096/<some other key id>
created: <some date in the past> expires: <some date in the future> usage: E
[ unknown] (1). Pecipient's Name <recipients@mail.address>
So I set the recipient's ownertrust, but why is there still this [ unknown] at the end?
Best Answer
You haven't understood how the OpenPGP validity scheme works. But independent of that: Applications should not have a problem using non-valid keys (so you might complain towards the Evolution developers).
There are two ways (with GnuPG in standard mode) how a certificate can become valid:
This means: If no certificate in your keyring has ultimate ownertrust then you have automatically lost.
Alternatively you can change the trust model with
Then you can set the validity directly as you tried. But in any case the certificate must be "completely valid". Marginal validity is not enough.
I have explained that in detail on my web site:
http://www.hauke-laging.de/sicherheit/openpgp.html#wot
The text is German but there are some images in that block which might be helpful for understanding.