Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Decrypting with PGP Command Line 10.2 on AIX - 3090 Bad parameters

Created: 03 Jul 2012 • Updated: 06 Jul 2012 | 9 comments
This issue has been solved. See solution.

Hi,

We have been using PGP 9.9 to decrypt one file on old server. Now I have installed PGP 10.2 on new AIX server and imported the key pair.

File is encyrpyted as following --

        Software version:  gpg (GnuPG) 1.4.5

        It is signed with the key. ASCII armored as well.
 
I use following command to decrypt it-

         pgp --verbose --decrypt source_file -o output_file --symmetric-passphrase "passphrase"

It gives following error --

             pgp:decrypt (3157:current local time 2012-07-03T12:01:32-04:00

             temp.trn_orig:decrypt (3188:Version, GnuPG v1.4.5 (MingW32))
             temp.trn_orig:decrypt (3090:operation failed, bad parameters)
 
This error log does not give any information althogh I am using verbose mode. Same command completes successfully using PGP 9.9. I created a suppot case for this issue last Thursday but I am still to hear from Symantec technical support person.
 
Thank you..
 

 

 

Comments 9 CommentsJump to latest comment

dfinkelstein's picture

Hi,

For files encrypted to your key, you need to use "--passphrase" to provide the passphrase of the key.  "--symmetric-passphrase" is used to specify a passphrase to use for "conventional" (non-public-key) encryption.

"Bad parameters" is not the most helpful of error messages, sorry.

Edited to add:

Note, using "--passphrase" was always the correct syntax for decrypting with a key.  However, using "--symmetric-passphrase" would have worked prior to 10.2.  The ability to use "--symmetric-passphrase" in place of "--passphrase" was removed as part of a bug fix related to conventional file decryption.

Regards,

 

--------

David Finkelstein

Symantec R&D

parmar's picture

Hi David,

Thank you for the reply. When I use the --passphrase option, file is decrypted but signature is not verified and command completes with a non-zero return code.

decrypt (3037:cannot verify signature)

If I use the same command with older version of PGP (with --passphrase option), it also gives the same error message.

Thank you..

Manmohan Singh

 

dfinkelstein's picture

The file is signed, but you don't have a copy of the signer's key in your keyring, and so PGP Command Line gives you the message that it cannot verify the signatue.  The file still decrypted properly and so the the output file will be created.

You can get rid of this error by importing the signer's key into your keyring.  This warning will then go away to be replaced with another warning, "3079:signing key invalid", until you sign the key with "pgp --sign-key", signifying that you do indeed believe that this public key belongs to the UserID specified in the key.

--------

David Finkelstein

Symantec R&D

SOLUTION
parmar's picture

I have already imported the private/public key. I am not sure if there is a separate key for signing the file.

PGP 9.9 version(on an old server) also gives this message (decrypt (3037:cannot verify signature) when using --passphrase option. With option  --symmetric-passphrase, PGP 9.9 decrypts without any error. If the signer's key is not in my keyring, then it should give 'cannot verify signature' error for both methods.

 

 

dfinkelstein's picture

Run

"pgp --verify source-file --passphrase [your private key passphrase]"

You'll see output like

 

source-file:verify (3037:cannot verify signature)
source-file:verify (3039:signing key 0x549B93C8)
 
This will tell you the KeyID of the key that signed the file at the time of encryption.  You need to import this key into your keyring.
 

--------

David Finkelstein

Symantec R&D

parmar's picture

I have tried this command on both 9.9 and 10.2. Both times it could not verify the signature. With 9.9 version, the command completes without any error but with 10.2 it says "pgp:verify (3090:operation failed, unknown error". Looks like the new version is more strict in verifying the signatures.

I will get the public key used to sign the file and then try.

Thank you for your timely assistance. I am still to hear from technical support person!

 

dfinkelstein's picture

Though it was fairly long-standing behavior, we considered it a potential security issue -- the signature fails to verify, but we act as if nothing is wrong (except for printing a warning message).  So we changed that behavior for 10.2.

 

--------

David Finkelstein

Symantec R&D

parmar's picture

Hi David,

After importing and the signing the signature key all the error messages gone way.

It would have saved me many hours of time if instead of calling the technical support people, I had posted on this forum straightway.

Anyhow, It is all good now. Thank you very much...

Manmohan Singh

dfinkelstein's picture

Great, glad it's all working for you.

Regards,

--------

David Finkelstein

Symantec R&D