Menu

#139 Upgrading to duply 2.5.1 from 2.4.1 breaks gpg password?

duply
closed-fixed
nobody
None
5
2023-11-30
2023-10-31
Eric D
No

TLDR; using a gpg key with an ampersand in the password breaks duply. If the gpg key does not have an ampersand, duply commands works without issue. Attempting to escape the ampersand with a backslash in GPG_PW is partially successfull, duply executes without issue, but the command fails with "Bad passphrase" due to the backslash is interpeted by GPG as part of the password.

Broken environment:
duply 2.5.1
duplicity 2.1.4

Previous environment has no issues with ampersand in GPG_PW:
duply 2.4.1
duplicity 1.2.1

  1. the command line that lead to the error
    $ duply myprofile status
    or
    $ duply myprofile incr

  2. the complete output of your duply command

Start duply v2.5.1, time is 2023-10-31 03:56:14.
Using profile '/Users/meuser/.duply/myprofile'.
Using installed duplicity version 2.1.4, python 3.12.0 (/opt/homebrew/Cellar/duplicity/2.1.4/libexec/bin/python) 'PYTHONPATH=:/opt/homebrew/Cellar/python@3.12/3.12.0/Frameworks/Python.framework/Versions/3.12/lib/python312.zip:/opt/homebrew/Cellar/python@3.12/3.12.0/Frameworks/Python.framework/Versions/3.12/lib/python3.12:/opt/homebrew/Cellar/python@3.12/3.12.0/Frameworks/Python.framework/Versions/3.12/lib/python3.12/lib-dynload:/opt/homebrew/Cellar/duplicity/2.1.4/libexec/lib/python3.12/site-packages:/opt/homebrew/opt/python-setuptools/lib/python3.12/site-packages:/opt/homebrew/opt/six/lib/python3.12/site-packages:/opt/homebrew/opt/pycparser/lib/python3.12/site-packages:/opt/homebrew/opt/cffi/lib/python3.12/site-packages:/opt/homebrew/opt/protobuf/lib/python3.12/site-packages:/opt/homebrew/opt/python-certifi/lib/python3.12/site-packages:/opt/homebrew/opt/python-typing-extensions/lib/python3.12/site-packages:/opt/homebrew/opt/python-cryptography/lib/python3.12/site-packages:/opt/homebrew/opt/python-lxml/lib/python3.12/site-packages:/opt/homebrew/opt/python-packaging/lib/python3.12/site-packages:/opt/homebrew/opt/python-psutil/lib/python3.12/site-packages:/opt/homebrew/opt/python-pyparsing/lib/python3.12/site-packages:/opt/homebrew/opt/python-pytz/lib/python3.12/site-packages:/opt/homebrew/opt/pyyaml/lib/python3.12/site-packages:/opt/homebrew/opt/python-lxml/lib/python3.12/site-packages:/opt/homebrew/lib/python3.12/site-packages', gpg 2.4.3 (Home: /Users/meuser/.gnupg), awk 'awk version 20200816', grep 'grep (BSD grep, GNU compatible) 2.6.0-FreeBSD', bash '5.2.15(1)-release (aarch64-apple-darwin22.1.0)'.
Public key '123456789FOOKEYOBFUSCATED' found in keychain.
Autoset found secret key of first GPG_KEY entry '123456789FOOKEYOBFUSCATED' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '123456789FOOKEYOBFUSCATED' & Sign with '123456789FOOKEYOBFUSCATED' (FAILED)

Sorry. A fatal ERROR occured:

Encryption failed (Code 2).
FIRST_FIFTEEN_CHARACTERS_OF_THE_GPG_PW_BEFORE_AMPERSAND
/opt/homebrew/bin/duply: line 1303: AFTER_AMPERSAND_LAST_EIGHT_CHARACTERS_OF_GPG_PW: command not found
gpg: using "123456789FOOKEYOBFUSCATED" as default secret key for signing
[GNUPG:] KEY_CONSIDERED 123456789FOOKEYOBFUSCATED 2
[GNUPG:] KEY_CONSIDERED 123456789FOOKEYOBFUSCATED 0
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] BEGIN_ENCRYPTION 2 9
gpg: signing failed: No passphrase given
[GNUPG:] FAILURE sign-encrypt 67109041
gpg: /opt/homebrew/bin/duply: sign+encrypt failed: No passphrase given

Hint:
This error means that gpg is probably misconfigured or not working
correctly. The error message above should help to solve the problem.
However, if for some reason duply should misinterpret the situation you
can define GPG_TEST='disabled' in the conf file to bypass the test.
Please do not forget to report the bug in order to resolve the problem
in future versions of duply.

  1. ideally a test case that helps to reproduce the ERROR

The GPG_PW contains an ampersand (&)
GPG_PW='FIRSTFITEEN_&_LASTEIGHT'

It looks like the password is not properly encapsulated when passed to GPG, and the GPG_PW is split at the ampersand and interpreted as an additional duply command.

If I try escaping the ampersand in GPG_PW, eg. '\&', splitting of the GPG_PW does not occur, however it results in a "Bad passphrase" due to the backslash.

Public key '71E99B1644EC977E928A6B6A54C62EB1DBFA60FD' found in keychain.
Autoset found secret key of first GPG_KEY entry '71E99B1644EC977E928A6B6A54C62EB1DBFA60FD' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '71E99B1644EC977E928A6B6A54C62EB1DBFA60FD' & Sign with '71E99B1644EC977E928A6B6A54C62EB1DBFA60FD' (FAILED)

Sorry. A fatal ERROR occured:

Encryption failed (Code 2).
gpg: using "71E99B1644EC977E928A6B6A54C62EB1DBFA60FD" as default secret key for signing
[GNUPG:] KEY_CONSIDERED 71E99B1644EC977E928A6B6A54C62EB1DBFA60FD 2
[GNUPG:] KEY_CONSIDERED 71E99B1644EC977E928A6B6A54C62EB1DBFA60FD 0
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] BEGIN_ENCRYPTION 2 9
gpg: signing failed: Bad passphrase
[GNUPG:] FAILURE sign-encrypt 67108875
gpg: /opt/homebrew/bin/duply: sign+encrypt failed: Bad passphrase

If I generate a new gpg key with a simple password without special characters, eg. '12345678', commands run successfully.

$ duply foo-profile status 04:25:43
Start duply v2.5.1, time is 2023-10-31 04:25:52.
Using profile '/Users/meuser/.duply/foo-profile'.
Public key '06DAF31EA2073B8C0C8BB29776767C1D66E9ACCE' found in keychain.
Autoset found secret key of first GPG_KEY entry '06DAF31EA2073B8C0C8BB29776767C1D66E9ACCE' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '06DAF31EA2073B8C0C8BB29776767C1D66E9ACCE' & Sign with '06DAF31EA2073B8C0C8BB29776767C1D66E9ACCE' (OK)
Test - Decrypt (OK)
Test - Compare (OK)
Cleanup - Delete '/tmp/duply.5972.1698751552_*'(OK)

--- Start running command STATUS at 2023-10-31 04:25:53.000 ---

Discussion

  • Eric D

    Eric D - 2023-10-31

    GPG version info:

    Broken environment:
    duply 2.5.1
    duplicity 2.1.4
    gpg 2.4.3

    Previous environment has no issues with ampersand in GPG_PW:
    duply 2.4.1
    duplicity 1.2.1
    gpg 2.4.0

     

  • ede

    ede - 2023-10-31

    hey Eric,

    thanks for the report. can you please test this snapshot?
    https://duply.net/tmp/duply.sh

    thanks!.. ede

     

  • Jacob Godserv

    Jacob Godserv - 2023-11-10

    Hey ede, I had the same issue and this appears to be a good fix. However, I get a lot of spurious output at the start of a "verify" run:

    Signing disabled. No GPG_KEY entries in config.
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
Test - Encryption with passphrase (OK)
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator                                                                                                                            awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\_' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\@' is not a known regexp operator
awk: cmd. line:1: warning: regexp escape sequence `\%' is not a known regexp operator
Test - Decryption with passphrase (OK)
Test - Compare (OK)
     

    • ede

      ede - 2023-11-11

      thanks Jacob, seems like your awk is somewhat more delicate :) please try the snapshot https://duply.net/tmp/duply.sh

      thxagn! ..ede

      On 11.11.2023 14:12, Jacob Godserv wrote:

      Hey ede, I had the same issue and this appears to be a good fix. However, I get a lot of spurious output at the start of a "verify" run:

      |Signingdisabled.NoGPG_KEYentriesinconfig. awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator CheckingTEMP_DIR'/tmp'isafolderandwritable(OK) awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator
      awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator Test-Encryptionwithpassphrase(OK) awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperatorawk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator Test-Decryptionwithpassphrase(OK) Test-Compare(OK) |

       

      • ede

        ede - 2023-11-13

        hey Jacob,

        would you mind telling me the OS and awk name/version of this box? ..thx ede

        On 11.11.2023 14:21, edgar.soldin@web.de wrote:

        thanks Jacob, seems like your awk is somewhat more delicate :) please try the snapshot https://duply.net/tmp/duply.sh

        thxagn! ..ede

        On 11.11.2023 14:12, Jacob Godserv wrote:

        Hey ede, I had the same issue and this appears to be a good fix. However, I get a lot of spurious output at the start of a "verify" run:

        |Signingdisabled.NoGPG_KEYentriesinconfig. awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator CheckingTEMP_DIR'/tmp'isafolderandwritable(OK) awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator
        awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator Test-Encryptionwithpassphrase(OK) awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperatorawk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\,'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence_'isnotaknownregexpoperator awk:cmd.line:1⚠️regexpescapesequence\@'isnotaknownregexpoperator awk:cmd.line:1:warning:regexpescapesequence\%'isnotaknownregexpoperator Test-Decryptionwithpassphrase(OK) Test-Compare(OK) |

         

  • ede

    ede - 2023-11-30
    • status: open --> closed-fixed
     

  • ede

    ede - 2023-11-30

    closing this after no further responses as fixed.

    will be released in v2.5.2

     

    Last edit: ede 2023-11-30

Log in to post a comment.

MongoDB Logo MongoDB