Hiera-eyaml cannot decrypt with key, plain gpg works

[andreahuber]

Hi there,
I'm having an issue that none of my colleagues has, and after some days of research and fiddling around I'm completely stuck so maybe someone here can help?
It's similar to this issue: #164, but none of the solutions suggested there worked for me.

I can decrypt a file or a passage in a file using
eyaml edit --gpg-always-trust --gpg-recipients-file <recipient_file> <my_file>,
but when I try to decrpypt the file I get the following error:

[gpg] Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)
[hiera-eyaml-core] Decryption failed

This is my setup:

• Ubuntu 16.04
• gpg 1.4.20
• hiera-eyaml 2.1.0
• hiera-eyaml-gpg 0.6
• gpgme 2.0.12

This is what I have tried:

• Made sure encryption / decryption with plain gpg works
• Deleted all private keys other than the one I'm using for encryption
• After eyaml decryption surrounded the encrypted value with gpg "headers" and decrypted it with plain gpg -> works. Thus made sure the correct key pair is used for encryption / decryption.
• Explicitly configured gnupg home, and made sure the correct gnupg path is used
• Searched for processes on my system that have anything to do with encryption. Found gpg agent and gnome keyring daemon running. Killed the processes so they would not get in the way of eyaml.
  Encrypted / decrypted again -> failed.
• Set up eyaml in a docker container. Verified that eyaml encryption / decryption worked there. Got rid of all my ruby gems on my machine and installed the exact same setup as in the docker container.

None of these things worked out.

Any ideas anyone? I'm grateful for any hint.

Cheers, Andrea

[ciprianc]

Hi,
I had the same problem as you and I have the exact same versions of libraries that you do. In the other issue that you linked @sihil did mention that the key needs to be the very first in the list and after blowing away the gpg database and importing my secret key first (then all the other) the problem went away.

You mentioned that one thing you tried was deleting all private keys, which tells me that you haven't deleted ALL keys (public too), so you must have assumed that he meant that the the key needs to be the frist secret key, not first key of any kind.

[andrzejhochul]

Also encountered this silly issue , had to blast whole ~/.gnupg as removing ALL the keys with gpg command and re-adding my primary one as the only one wouldn't help.

[rnelson0]

This error does not come from hiera-eyaml, but from hiera-eyaml-gpg, which is not maintained by Vox Pupuli. It looks like @andrzejhochul opened a ticket for that, and I think the reproduction steps and error details should be copied over there. I am sorry that we are not able to help with this issue.