5

i'm about to use gnupg to encrypt and decrypt files. The strange thing is, encrypt works fine, but decrypt always returns false.

Here a simple php script encrypting and decrypting content:

$content = 'test text';
putenv("GNUPGHOME=/PATH_TO_GPG_PATH");
$gpg = new gnupg();
$gpg->addencryptkey("FINGERPRINT");
$enc = $gpg->encrypt($content);

var_dump($enc);

$gpgD = new gnupg();
$gpgD->adddecryptkey("FINGERPRINT","PASSPHRASE");
$plain = $gpgD->decrypt($enc);
var_dump($plain);

Versions

Debian packages

gpgv 1.4.18-7

libgpgme11:amd64 1.5.1-6

pecl

Package Version State gnupg 1.4.0 stable

PHP version: PHP 7.1.11-1+0~20171027135825.10+jessie~1.gbp2e638d

Anyone experienced this problem already? I'm out of ideas. Thank you in advance.

Wolf-Tech
  • 1,259
  • 3
  • 18
  • 38
  • What is [`gnupg_geterror`](https://secure.php.net/manual/en/function.gnupg-geterror.php) returning? – Jens Erat Nov 17 '17 at 19:22
  • decrypt failed, nothing else. I made a workaround by using the plain decrypt command via shell_exec(). Wondering why the plain decrypt works with php based encryption methods. :-/ – Wolf-Tech Nov 20 '17 at 17:01
  • Have you tried it with a key without passsword? In gnupg > v2.0.0 it is not possible by default to use a password in a Webserver. The Request for the Password is prompted to the console, so it doesn't work. Have a look at [Mike](http://php.net/manual/de/function.gnupg-decrypt.php)'s comment in the manual – finder2 Jul 27 '18 at 09:41

2 Answers2

2

Have you tried invoking gnupg_geterror() after gnupg_adddecryptkey()? I suspect your private key is not actually getting accepted. I assume it needs to be in PHP user's GPG keyring? Also in a couple of brief tests I ran, I kept getting prompted for the passphrase on the terminal, but that could be because of my paranoid gpg config (I disable passphrase caching completely).

Another way to trap errors would be to set gnupg_seterrormode() to ERROR_EXCEPTION or similar to see what's actually happening...

Rouben Tchakhmakhtchian
  • 521
  • 4
  • 9
0

For me the issue was the PHP application didn't have the right permissions to the key files. If you generate the keys with the 'gpg' cli (like I did) it makes the files owned by 'root'. So I just needed to change them to be owned by the php application user.

The folders I needed to update permissions on were {GNUPGHOME}/openpgp-revocs.d and {GNUPGHOME}/private-keys-v1.d

My guess for you its the /private-keys-v1.d folder since you can't decrypt it.

ggedde
  • 582
  • 5
  • 12