PGP can't add key (Windows)

[HervE]

Hello,

I've installed PGP (GnuPG) and configured it in SysConfig Crypt::PGP.

However, when I try to add a public key, I've got the following error:
Can't add key: gpg: can't open `C:\PROGRA~2\OTRS\OTRS\var\tmp\keW4zvK2sg.tmp': No such file or directory gpg: Total number processed: 0!

I've searched the forum and found the same error here.
Unfortunately it's German, and my German knowledge is not technical enough

Could you help please?

My guess is: the program is searching 'C:\PROGRA~2\OTRS\OTRS\var\tmp' directory on my client PC, instead of searching on OTRS server...

Regards,
HervE

[crythias]

No, it's looking for the install of otrs on your server after you've uploaded the key.

[HervE]

OK, so my guess was wrong.

How can I solve this problem then?

HervE

[jojo]

import them manualy in your keyring or use a *nix based operating system

[HervE]

Do you mean PGP doesn't work under Windows??????!!!

-----

Well, I imported them manually (using Cryptophane) and then... how can OTRS know them?

HervE

[jojo]

I never tried it in Windows...


PGP works with a keyring, so if you import it to the correct keyring OTRS will now them

[HervE]

How to import the keyring in OTRS?

I've seen where to add/import a public key, but no keyring.

Excuse me, I am newbie with PGP.

Regards,
HervE

[HervE]

Hello,

I'm still having the error:
Can't add key: gpg: can't open `C:\PROGRA~2\OTRS\OTRS\var\tmp\keW4zvK2sg.tmp': No such file or directory gpg: Total number processed: 0!

Can anybody help?

For information,in SysConfig I configured Framework -> Crypt::PGP this way:
PGP::Bin = C:\PROGRA~2\OTRS\PGP\GnuPG\gpg.exe
PGP::Options = --homedir C:\PROGRA~2\OTRS\PGP\ --batch --no-tty --yes

Is this correct?

Regards,
HervE

[crythias]

You might try a dir /x to make sure the path is Progra~2

[HervE]

Checked.

C:\PROGRA~2 is the path.

So what can I do?

HervE

[crythias]

You should be able to manually add the keys because all the gpg interface does is system calls to the gpg command.

gpg --import keyname.pgp

[HervE]

Where can you see this command please?

HervE

[crythias]

where gpg is installed. ...? You've already told this path in sysconfig. If you've not installed gpg4win, you might have to get it and install it.

[HervE]

Hi crythias,

Like I said at the very beginning of this post, I installed GnuPG (not gpg4win) on OTRS server.

When you say "all the gpg interface does is system calls to the gpg command gpg --import keyname.pgp", where can you see this gpg --import keyname.pgp?

I'd like to see precisely what is mentioned.
Is "keyname.pgp" a variable?

Thanks for your help,
HervE

[crythias]

keyname.pgp is a file that contains a key.

Kernel/System/Crypt/PGP.pm

Code: Select all

    my $GPGOptions = "--import $Filename";
    my $LogMessage = qx{$Self->{GPGBin} $GPGOptions 2>&1};
    if ( $LogMessage =~ /failed/i ) {
        $LogMessage =~ s/\n//g;
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => "Can't add key: $LogMessage!",
        );
        return;

Which means that it's looking for gpg.exe application in the location specified in GPGBin, adds --import as a command line operation with a second argument as the filename that's being uploaded.

So, to help it along, all you'd have to do is determine where on your system gpg.exe exists, go to a command prompt, and type:

gpg --import filename.ext

filename.ext would be the file you'd have chosen to upload as a key through the interface.

And you'd be running this on the server where OTRS and GnuPG together are installed.

[HervE]

Hi crythias,

Strange, but I can't find the same code as you. My PGP.pm file contains this code:

Code: Select all

sub KeyAdd {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{Key} ) {
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => 'Need Key!',
        );
        return;
    }
    my ( $FH, $Filename ) = $Self->{FileTempObject}->TempFile();
    print $FH $Param{Key};
    my $GPGOptions = "--status-fd 1 --import $Filename";
    my $Message    = qx{$Self->{GPGBin} $GPGOptions 2>&1};

    my %LogMessage = $Self->_HandleLog( LogString => $Message );

    if ( !$LogMessage{IMPORT_OK} ) {
        $Message =~ s/\n//g;
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => "Can't add key: $LogMessage{CleanLog}!",
        );
        return;
    }

    return $LogMessage{CleanLog};
}

May this be the reason of my problem?

Regards,
Herve

[crythias]

I'm not sure what your difficulty is. I've already told you the workaround and the only major difference between what I gave and what you showed is:
my $GPGOptions = "--status-fd 1 --import $Filename";
my $Message = qx{$Self->{GPGBin} $GPGOptions 2>&1};
which means that what it's going to do is run the command line:
\path\to\where\you\pointed\gpg.exe --status-fd 1 --import thefilethatcontainsthekey.ext

Once you've imported the key, it doesn't matter anymore. It's on the keyring. This is gpg specific, not OTRS.

[HervE]

I've already told you the workaround

Which workaround? Use PGP manually on OTRS server? That's what I'm already doing while waiting for a solution to have it working in OTRS.
(Actually, I don't use it manually, I am using Cryptophane interface.)

and the only major difference between what I gave and what you showed is:
my $GPGOptions = "--status-fd 1 --import $Filename";
my $Message = qx{$Self->{GPGBin} $GPGOptions 2>&1};
which means that what it's going to do is run the command line:
\path\to\where\you\pointed\gpg.exe --status-fd 1 --import thefilethatcontainsthekey.ext

With all due respect, there is another difference, which is this FileTempObject thing.
Since the error I get just mentions a tmp directory and a .tmp file, it rang a bell.
What do you think?

Once you've imported the key, it doesn't matter anymore. It's on the keyring. This is gpg specific, not OTRS.

Can be. But isn't there in OTRS a link between a customer user and its public key? I suppose so because I can see "PGP Key Upload" on the customer form.
Isn't OTRS supposed to encrypt a PGP file for a customer using its public key, or decrypt a PGP file that a customer sent using our public key (gpg being behind all that like a black box)?
What's the use of an integrated PGP interface in OTRS otherwise?

Many thanks for your help.

Regards,
HervE

[HervE]

Hi,

I tried several things to go further.

1) I tried to log some variables. Here are the results:

TempFile(): Kernel::System::FileTemp=HASH(0x34d9acc)->TempFile()
FH: GLOB(0x10abf7f4)
Filename: C:\PROGRA~2\OTRS\OTRS\var\tmp\pS3YewSwQk.tmp
GPGOptions: --status-fd 1 --import C:\PROGRA~2\OTRS\OTRS\var\tmp\pS3YewSwQk.tmp
Message: [GNUPG:] IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0
gpg: can't open `C:\PROGRA~2\OTRS\OTRS\var\tmp\pS3YewSwQk.tmp': No such file or directory
gpg: Total number processed: 0

What can be said from that is:
For some reason the pgp command doesn't import the key directly from the chosen file Someone.asc I am trying to import, but is looking for some temp file from a temp directory where - I suppose - the key should be copied. Unfortunately, the temp file doesn't exist.
Why doesn't it exist?

2) I also tried to modify sub KeyAdd of my PGP.pm so that it looks like crythias' mentioned code above.
The result:
As soon as I click on Admin > PGP Keys, I get the following error message on screen:
Software error: Can't call method "Check" on an undefined value at C:/PROGRA~2/OTRS/OTRS//Kernel/Modules/AdminPGP.pm line 314.
and the following error in otrs.log:
[Error][Kernel::System::Crypt::new][102] Global symbol "$Filename" requires explicit package name at C:/PROGRA~2/OTRS/OTRS//Kernel/System/Crypt/PGP.pm line 802.
Which sounds logical because variable $Filename is not declared in the extract given by crythias.
How to have $Filename equal to my Someone.asc instead of this temp file? (if it ever makes sense)

Regards,
HervE

[HervE]

Hi,

I am still looking for a solution.

Regards,
HervE

[jojo]

switch to Linux

[crythias]

gpg: can't open `C:\PROGRA~2\OTRS\OTRS\var\tmp\pS3YewSwQk.tmp': No such file or directory

It means what it means. gpg as an app works. The path and file pS3... is not created/is not there. If it were to be created, it'd simply be a renamed file of what was submitted (read: if a user uploaded "myfile.pgp", it would be sitting in C:\PROGRA~2\OTRS\OTRS\var\tmp\pS3YewSwQk.tmp and gpg import would be called from the command line to import it into the gpg keyring.

I also tried to modify sub KeyAdd of my PGP.pm so that it looks like crythias' mentioned code above.

If you copied it as the entire KeyAdd, you should encounter the error you received. Mine was just a snippet of the relevant part of adding the key.
You should recover PGP.pm from original code (click download):
http://source.otrs.org/viewvc.cgi/otrs/ ... =rel-3_0_6

[crythias]

Isn't OTRS supposed to encrypt a PGP file for a customer using its public key, or decrypt a PGP file that a customer sent using our public key (gpg being behind all that like a black box)?
What's the use of an integrated PGP interface in OTRS otherwise?

OTRS doesn't do anything to match a user to a key. At least, not explicitly.

I'm sure I'll get something wrong here, but off the top of my head is the following:
When a mail client decides it wishes to encrypt an email, it encrypts with the recipient's public key. The mail client doesn't know anything about how to do it. It just knows who the recipient is. The PGP/GPG client says, "I can handle that! What's the email address?" and then it looks up the email address in the file system stored keyring (completely separate from the application that is asking for encryption) and says, "Hey, I have that email address! I know how to encrypt a message for that recipient! Here's the encrypted version of the text you sent to pgp/gpg! Replace the body and send!" The plugin for the mail sender replaces the body with the encrypted text and sends it to the recipient.

When a customer sends an encrypted email to you (including OTRS), the customer must have your public encryption key. (This is equivalent to you providing open locks for people to put on a gym locker. They'll put something in a gym locker, grab a lock from the table, lock the locker, and hope you have the key. But you wouldn't provide a public lock if you didn't have the key.)

What OTRS does is sense that the message is encrypted, "Hey, pgp/gpg, I don't know what to do with this. This is the password for my private key. Tell me what the clear text is." And pgp unlocks/decrypts the message into clear and OTRS replaces the encrypted text with PGP's result, if successful.

[HervE]

Hello crythias,

Mine was just a snippet of the relevant part of adding the key.
You should recover PGP.pm from original code (click download):
http://source.otrs.org/viewvc.cgi/otrs/ ... =rel-3_0_6

I downloaded it and found this:

Code: Select all

sub KeyAdd {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{Key} ) {
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => 'Need Key!',
        );
        return;
    }
    my ( $FH, $Filename ) = $Self->{FileTempObject}->TempFile();
    print $FH $Param{Key};
    my $GPGOptions = "--status-fd 1 --import $Filename";
    my $Message    = qx{$Self->{GPGBin} $GPGOptions 2>&1};

    my %LogMessage = $Self->_HandleLog( LogString => $Message );

    if ( !$LogMessage{IMPORT_OK} ) {
        $Message =~ s/\n//g;
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => "Can't add key: $LogMessage{CleanLog}!",
        );
        return;
    }

    return $LogMessage{CleanLog};
}

...which was exactly the code I had, because I never modified it from the original.

But your snippet (from November 5th) was very different:

Code: Select all

        my $GPGOptions = "--import $Filename";
        my $LogMessage = qx{$Self->{GPGBin} $GPGOptions 2>&1};
        if ( $LogMessage =~ /failed/i ) {
            $LogMessage =~ s/\n//g;
            $Self->{LogObject}->Log(
                Priority => 'error',
                Message  => "Can't add key: $LogMessage!",
            );
            return;

Where did you get it from?

Regards,
HervE

[HervE]

Hello,

I am still expecting a solution.
(Switching to Linux is out of question )

I cannot believe I'm the only one out there having this problem??

Regards,
HervE

[crythias]

Your original message says the executable gpg (gpg.exe) is not in your path/not where it is expected to be. You need to provide a path to gpg.exe in SysConfig.

[HervE]

I did it:

My SysConfig > Framework -> Crypt::PGP contains the following keys/values:
PGP = Yes
PGP::Bin = C:\PROGRA~2\OTRS\PGP\GnuPG\gpg.exe
PGP::Options = --homedir C:\PROGRA~2\OTRS\PGP\ --batch --no-tty --yes
PGP::Key::Password =
Key = (my_key)
Content = (my_password)
PGP::TrustedNetwork = Yes

All the other keys stay set to default value.

Does it look fine this way?

Regards,
HervE

[HervE]

Hello forum,

I still need some help on that.
Does anybody know how to?

Regards,
HervE

[jojo]

I suggest to switch to an UNIX based OS

[HervE]

Not possible in our background.

Regards,
HervE

[HervE]

I have some news about this topic.

I modified my configuration this way:
PGP = Yes
PGP::Bin = C:\PROGRA~1\Cryptophane\GnuPG\gpg.exe [This is the place where my gpg.exe is]
PGP::Options = --homedir C:\Users\dcf_release\AppData\Roaming\gnupg\ --batch --no-tty --yes [...Roaming\gnupg\ is the place where my keyring is]
PGP::Key::Password =
Key = (my_secret_key)
Content = (my_password)
PGP::TrustedNetwork = Yes

Now I can see the keys (public and secret) from my keyring!

Even better: Each key is automatically identified through the customer's email address, so I can encrypt a message to a customer, and decrypt a message from a customer!

But... I still can't add a new key to the keyring:
-in ADMIN > PGP Keys > Add PGP key
-and in CUSTOMERS > PGP Key > Browse, as well
I get the same already mentioned error.

What should I do?

Regards,
HervE

[crythias]

The original German response was that the path could not be found because of bad slashes on the command line.

While you've attempted the direct method through the gui, you haven't verified if you stick a key (samplekey.asc) in the path C:\PROGRA~2\OTRS\OTRS\var\tmp\
and then from your command line

Code: Select all

C:\PROGRA~1\Cryptophane\GnuPG\gpg.exe  --homedir C:\Users\dcf_release\AppData\Roaming\gnupg\ --batch --no-tty --yes --status-fd 1 --import C:\PROGRA~2\OTRS\OTRS\var\tmp\samplekey.asc

what happens?

[HervE]

Thanks for your answer.

While you've attempted the direct method through the gui, you haven't verified if you stick a key (samplekey.asc) in the path C:\PROGRA~2\OTRS\OTRS\var\tmp\

Yes I did.
I got the error:
Can't add key: gpg: can't open `D:\OTRS\OTRS\var\tmp\8WP1Q8kL0o.tmp': No error gpg: Total number processed: 0!
But there is no 8WP1Q8kL0o.tmp in D:\OTRS\OTRS\var\tmp.
And there is no sticked key like samplekey.asc either.

So naturally I cannot run the command line you said.

Regards,
HervE

[crythias]

I'm sorry. There must be a translation problem.
What I mean is: "Create a file that contains a key that you'd import, and place it as filename "sample.asc" in that directory."

Here's a sample public key to import: (save as samplekey.asc in that directory).

Code: Select all

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mI0EUDT1bgEEAIP+uPnuuxO3r8oQ3fP2uS2q1/U+eBe5fVrZlvwIziOX4TPbYKHN
DnXDYYUkK9C2qEh7SPE6xv3rzLIP81ogGSXFY9bVD3fLGV50B3L/7Gaon7IjPaYf
UhRojipEYC83Loepxy/8PPsPidmfZhpSMOOdJZn2vKNktOqHhuZzhxxbABEBAAG0
DGhlbHBAZ3d5Lm9yZ4icBBABAgAGBQJQNPVuAAoJEEssd0yyoCb3lMQD/0xlljN7
oebfXQor10v75waiSN6StWptoz5us+V69NbVb4MdrmC5mjjAoYc3WpIVcdLozKSf
k0RNkAasgNEacYObsTSQLsNyWDWFm1M0pKqBYtbkd+nRmSVAHghvO6UmDAo+Cggf
Nhtgc3nOXuhQFhgmVhwcWT+DteDrkPY9mtkd
=ziZ5
-----END PGP PUBLIC KEY BLOCK-----

(it's a key related to my email address, which you can delete or not. I won't use it.)

then run exactly this from command line:

Code: Select all

C:\PROGRA~1\Cryptophane\GnuPG\gpg.exe  --homedir C:\Users\dcf_release\AppData\Roaming\gnupg\ --batch --no-tty --yes --status-fd 1 --import C:\PROGRA~2\OTRS\OTRS\var\tmp\samplekey.asc

or

Code: Select all

C:\PROGRA~1\Cryptophane\GnuPG\gpg.exe  --homedir C:\Users\dcf_release\AppData\Roaming\gnupg\ --batch --no-tty --yes --status-fd 1 --import D:\OTRS\OTRS\var\tmp\samplekey.asc

[HervE]

Thanks for your explanations.
I did like you said.
Result: Your key was imported without any problem using the command line.

Now back to OTRS, what can we conclude from that?

Regards,
HervE