Decrypting GPG encrypted file in which the recipient had a typo

I have one GPG key in my computer, whose ID is "jviotti@openmailbox.org".

I'm using the --encrypt command to encrypt a dummy text file, adding myself as the recipient, but with a typo on my ID:

$ echo "Hello World" > foo
$ gpg --recipient jviotti@openmailbox.or --encrypt foo

Now if I try to decrypt it with gpg -d foo.gpg, the usual password screen is presented, showing Juan Cruz Viotti <jviotti@openmailbox.org>. If I put my password correctly, the file is decrypted just fine.

This confuses me, given that the recipient I specified had a typo. Is gpg adding my ID as an implicit recipient?

jviotti

Posted 2017-03-09T18:50:28.380

Reputation: 157

I'm interested by this, having never properly used gpg. It seems there is an option to default to using your own id as the default -

The user ID of the default key is used as the default recipient. gpg does not query for a recipient if this specifies a valid key. The default key is the first key on the private keyring or the key specified with the option default-key.

However I'm confused to why it doesn't tell you the specified recipient isn't one that you have the public key for? – djsmiley2k TMW – 2017-03-09T19:09:54.563

Can you add a gpg --list-keys to your question, I'm wondering if you've accidently added the 'incorrectly spelt id' to your keychain as well? – djsmiley2k TMW – 2017-03-09T19:11:12.527

There is no incorrectly spelt id on my keychain, and "jviotti@openmailbox.org" is the only id in there. – jviotti – 2017-03-10T03:48:55.310

I'm guessing that it matched the first part of the recipient that you did correctly type, it may even work with only typing j since it would match the only key you've got (similar to "tab complete" in a terminal). Try with an actual typo, not just omitting the last letter. And try running your gpg command again, but adding some verbose flags (-v) you can add multiple flags to get more info, I think 9 or 10 is the max, so try adding -vvvvvvvvvv – Xen2050 – 2017-03-10T12:11:05.227

Hi @Xen2050, looks like you theory is right. If I have the public key of a recipient that starts with the ID I pass to --recipient, than such ID is added as a recipient. If the initial part of the string doesn't match, then gpg complains. Do you mind creating a proper answer so I can accept it? – jviotti – 2017-03-11T22:24:50.237

Answers

GPG matched the first part of the recipient that you typed in:

jviotti@openmailbox.or     # was typed in
jviotti@openmailbox.org    # ID that was matched

Only the last letter was missing. It should even work with only typing j since it would match the only key you've got (similar to "tab complete" in a terminal).

Try your command with not just omitting the last letter, but changing to a wrong letter in the email; it shouldn't match.

The reason is the default mode for specifying a user ID is a substring match, so your partial email typed in matched the full email of the user ID. There's a section on "How to Specify a User ID" in GPG's man page:

   By substring match.
          This is the default mode but  applications  may
          want to explicitly indicate this by putting the
          asterisk in front.  Match is  not  case  sensi‐
          tive.

     Heine
     *Heine

Here's a slightly different, condensed version on GnuPG.org:

How to specify a user ID

There are different ways on how to specify a user ID to GnuPG; here are some examples:

:: Used to locate the default home directory.

Here the key ID is given in the usual short form.

234AABBCC34567C4, 0F323456784E56EAB, 01AB3FED1347A5612, 0x234AABBCC34567C4 :: Here the key ID is given in the long form as used by OpenPGP.

1234343434343434C434343434343434, 123434343434343C3434343434343734349A3434, 0E12343434343434343434EAB3484343434343434, 0xE12343434343434343434EAB3484343434343434 :: The best way to specify a key ID is by using the fingerprint of the key. This avoids any ambiguities in case that there are duplicated key IDs (which are really rare for the long key IDs).

Using an exact to match string. The equal sign indicates this.

Using the email address part which must match exactly. The left angle bracket indicates this email address mode.

All words must match exactly (not case sensitive) but can appear in any order in the user ID. Words are any sequences of letters, digits, the underscore and all characters with bit 7 set.

Using the Local ID. This is a very low level method and should only be used by applications which really need it. The hash character indicates this method. An application should not assume that this is only a number.

By case insensitive substring matching. This is the default mode but applications may want to explicitely indicate this by putting the asterisk in front.

And with any gpg command it honors verbose flags (-v), you can add multiple flags to get more "verbosity" / more info, I think 10 is the max, so try adding -vvvvvvvvvv

Xen2050

Posted 2017-03-09T18:50:28.380

Reputation: 12 097