vim-gnupg leaks information from the encrypted file to the undofile when vim is compiled with +persistent-undo.

Hi,

Every time I want to open a .gpg file get an error saying "E331: Must not add menu items directly to menu bar". I then have to press the Enter Key and enter my passphrase and then everything seems to work normally.

Does it breaks the security ?

Also is it safe to store a gpg-encrypted file in my dropbox folder and edit it from there or will uncrypted files will be saved during the editing process (using the vim-gnupg plugin of course) ?

I run Debian on a VM

Thanks !

I suspect the problem is that the gpg (and gpg2) commands installed by Gpg4win expect (require) Windows-style paths.

I followed the steps outlined in this comment:

1. I opened Vim by itself.
2. I ran :let g:GPGDebugLevel=3 and then :let g:GPGDebugLog="debug.log".
3. I opened an encrypted file.

The contents of the debug.log file:

GnuPG: >>>>>>>> Entering s:GPGInit(1)
GnuPG: gnupg.vim 2.6
GnuPG: shellredirsave: >%s 2>&1
GnuPG: shellsave: /bin/bash
GnuPG: shelltempsave: 1
GnuPG: shell: /bin/sh
GnuPG: shellcmdflag: -c
GnuPG: shellxquote:
GnuPG: shellredir: >%s 2>&1
GnuPG: stderrredirnull: 2>/dev/null
GnuPG: shell implementation: /bin/sh
GnuPG: command: gpg --trust-model always --version 2>/dev/null
GnuPG: rc: 0
GnuPG: output: gpg (GnuPG) 2.0.30 (Gpg4win 2.3.2)^M^@libgcrypt 1.6.5^M^@Copyright (C) 2015 Free Software Foundation, Inc.^M^@License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>^M^@This is free software: you are free to change and redistribute it.^M^@There is NO WARRANTY, to the extent permitted by law.^M^@^M^@Home: C:/Users/kevitt/AppData/Roaming/gnupg^M^@Supported algorithms:^M^@Pubkey: RSA, RSA, RSA, ELG, DSA^M^@Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,^M^@        CAMELLIA128, CAMELLIA192, CAMELLIA256^M^@Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224^M^@Compression: Uncompressed, ZIP, ZLIB, BZIP2^M^@
GnuPG: public key algorithms: RSA, RSA, RSA, ELG, DSA^M
GnuPG: cipher algorithms: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,^M
GnuPG: hashing algorithms: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224^M
GnuPG: compression algorithms: Uncompressed, ZIP, ZLIB, BZIP2^M
GnuPG: <<<<<<<< Leaving s:GPGInit()
GnuPG: >>>>>>>> Entering s:GPGDecrypt(1)
GnuPG: command: gpg --trust-model always --no-use-agent --verbose --decrypt --list-only --dry-run --no-use-agent --logger-fd 1 '/home/kevitt/pass-neck-restore-test/home/kevitt/.password-store/neck/TeamCity administrator.gpg' 2>/dev/null
GnuPG: rc: 2
GnuPG: output: gpg: can't open `/home/kevitt/pass-neck-restore-test/home/kevitt/.password-store/neck/TeamCity administrator.gpg': Invalid argument^M^@gpg: decrypt_message failed: Invalid argument^M^@
GnuPG: this file is not encrypted
GnuPG: <<<<<<<< Leaving s:GPGDecrypt()
GnuPG: >>>>>>>> Entering s:GPGCleanup()
GnuPG: <<<<<<<< Leaving s:GPGCleanup()

A Bash script (for managing passwords) that also uses gpg and targets Cygwin uses a function to handle Windows paths:

...

# replaces Cygwin-style filenames with their Windows counterparts
gpg_winpath() {
    local args=("$@")
    # as soon as an argument (from back to front) is no file, it can only be a filename argument if it is preceeded by '-o'
    local could_be_filenames="true"
    local i
    for ((i=${#args[@]}-1; i>=0; i--)); do
        if ( [ $i -gt 0 ] && [ "${args[$i-1]}" = "-o" ] && [ "${args[$i]}" != "-" ] ); then
            args[$i]="$(cygpath -am "${args[$i]}")"
        elif [ $could_be_filenames = "true" ]; then
            if [ -e "${args[$i]}" ]; then
                args[$i]="$(cygpath -am "${args[$i]}")"
            else
                could_be_filenames="false"
            fi
        fi
    done
    $GPG_ORIG "${args[@]}"
}

if $GPG --help | grep -q 'Home: [A-Z]:[/\\]'; then
    GPG_ORIG="$GPG"
    GPG=gpg_winpath
fi

The key to the function is that Cygwin supplies a builtin command cygpath for converting Unix-style paths to Windows-style paths.

Whenever I try open a file I have this error

No matching autocommands
Message could not be decrypted! (Press ENTER)

On emacs file is open correctly

I am using MacOS 10.9.5

I am using vim-gnupg under Debian GNU/Linux with following versions:

• vim (gvim) 7.4.488
• gpg 1.4.18

Whenever I try to open a .asc file I am getting: "Message could not be decrypted! (Press ENTER)"

Debug output:

GnuPG: command: silent r !LANG=C LC_ALL=C gpg --trust-model always --no-use-agent --no-tty --quiet --decrypt '/tmp/deneme.asc' 2>/dev/null
GnuPG: rc: 2

Same command is returning: "gpg: Sorry, no terminal at all requested - can't get input". Removing --no-tty from args fixed the issue for me.

If foo.gpg has read-only file permissions, the descrypted buffer should be set readonly.

This might get handled in a special way later, too - e.g. when writing, but setting it initially is good enough for now probably.

It might be nice if the original file permissions would be perceived as-is, but I am not sure if that makes sense for the executable bit for example.

I've got an encrypted file favourited using FavEx, when I open it (pressing enter on its line) the file is not decrypted. FavEx launches the command edit path/to/file.

Hi

This isn't necessarily an improvement request, but rather something worth noting..

When throw-keyids is enabled you see the following:

Old files can be read, but any newly-saved with throw-keyids enabled, are no longer easily readable with the plugin.

throw-keyids is vaguely useful for securing privacy - see https://gist.github.com/bnagy/8914f712f689cc01c267

Could it be possible to specify a decryption key for the plugin ?

Anyway, there you go.

Cheers

Alex

It would seem in Fedora 23 we need to use gpg2 as the command; the gnupg package is still providing /usr/bin/gpg. Is that configurable | hackable in the gnupg.vim script?

In my .vimrc I do meta mappings setup (exec 'set <M-'.c.">=\e".c). When I open *.gpg file so that vim-gnupg kicks in, those are reset. I figured out that problem is caused by supposed workaround for some other issue reading:

" Workaround a bug in the interaction between console vim and
" pinentry-curses by forcing Vim to re-detect and setup its terminal
" settings
let &term = &term

By commenting it out I get desired behaviour.

If there is a gpg key is there in the form 'First Name ("Comment")', then it fails to find it in the keyring

It just breaks on various things when set shellslash while keeping other shell related options like 'shell' on their default.

The reason to set shellslash is simply for better User Experience like many tools on Windows do these days: Powershell, git, cygwin, etc. and popular Vim plugins like fugitive, unite, etc.

The effect of the option 'shellslash' is both internal and external. So we should check its value when invoking shell commands.

Hello,

I was trying to set up that plugin for a different gpg-homedir using the following configuration statment:

let g:GPGHomedir = '/home/xxx/folder/.gnupg/'

unfortunately that did not work for me - the plugin reported that the encrypted file wasn't encrypted.

After enabling debugging and running the commands manually it turned out that gpg (1.4.18-2) only supports options before the '--decrypt' statement:

/usr/bin/gpg --no-use-agent --verbose --decrypt --list-only --dry-run --batch --no-use-agent --logger-fd 1 '/home/xxx/folder/plain.txt.asc' --homedir '/home/xxx/folder/.gnupg/'
usage: gpg [options] --decrypt [filename]

Moving that homedir statement at the beginning of the gpg invokation solved the problem but as I'm not too familar with that plugin code I just circumvented that problem with:

let g:GPGExecutable = '/usr/bin/gpg --homedir /home/xxx/folder/.gnupg/'
" let g:GPGHomedir = '/home/xxx/folder/.gnupg/'

cheers,
gabriel

Hi James,

By reading the source I got the impression that when writing files are only signed if the variable g:GPGPreferSign is set to 1, regardless of whether the file was signed to begin with. Assuming my interpretation of the code is right (I don't know any vimscript), I was wondering if the plugin should check if the encrypted file is signed while decrypting it and let b:GPGOptions += ["sign"] accordingly. gpg --decrypt tells you if the signature could be verified in the last 2 lines written to stderr:

gpg: Signature made ... using ... key ID ...
gpg: Good signature from ...

Using this same information signed files can be verified when opening them :)

Files that aren't signed just don't write those last 2 lines to stderr.

Cheers,
Ricardo

Recently vm-gnupg stopped working properly. It loads an encrypted .gpg file and after flashing the clear-text briefly it shows a buffer of scrambled bytes.

I disabled my other bundles one-by-one and found that when both jamessan/vim-gnupg and bogado/file-line are active this issue occurs. I filed this issue there as well.

Another issue is that when loading a .gpg file all syntax highlighting and colors are disabled. Is that intentional?

The problem is that, while GPGInit sets GPGOptions based on user preferences, these are cleared in GPGDecrypt. Armor is only turned on if gpg outputs "gpg: armor header", which the latest version on Ubuntu 14.04 does not do. This behaviour is wrong anyway, since a user might rename a .gpg to .asc and then edit, expecting it to change format, but it won't.

Whenever I open an .gpg file, its contents are echoed on the bottom of screen with the 'Press ENTER or type command to continue' message right after.

If I disable the vim-tmux-focus-events plugin or if I set g:GPGUsePipes=1, everything works fine.

Also, my &t_EI and &t_SI settings are being removed by vim-gnupg even without vim-tmux-focus-events. Not sure if this is somewhat related to the same issue.

Is there any reason why this plugin does not provide a filetype definition for GnuPG files? I have some extra options that I like to set on GPG files and I'd love to just toss these in ~/.vim/ftplugin/gnupg.vim rather than having them clutter up my ~/.vimrc.

Please add g:GPGDebugLevel and g:GPGDebugLog into documentation.

Hi James,

really love your plugin, but the settings au! BufRead,BufNewFile *.asc,*.gpg,*.pgp set filetype=text have no effect when I'm using your plugin. When turning of your plugin, my settings are working.

Can you help me with this issue? I scanned through your plugin code but couldn't find the location where you prevent the custom filetype settings for *.asc, *.pgp, and *.gpg files

Hi, this is really a feature-wish and not a bug. Right now have a text file I use as my personal password vault ... I really want it to remember the password once I open it, so that it doesn't have to ask me again when I save it. (Vimcrypt kind of works this way)

Obviously, it would have been far better if something like this was supported by gpg-agent in some way. But till then, is it possible to do this by just writing it in a private file in /dev/shm (or whatever is the secure memory filesystem on your Linux distro)?

If you think it belongs here, I could try and cook up a patch for this if you want.

neovim spawns shell commands connected to pipes, which prevents vim-gnupg from receiving input when asking for passphrase.

To make vim-gnupg work with neovim it would be great to see an updated version using termopen.

Hi James, can you make a new release tag? Thanks for this great plugin.

Bests Matthias

When opening an encrypted file in the middle of a Vim session, the plugins behavior of unsetting viminfo is nasty, because you will lose valuable information from the other buffers / your whole session.

The main concern appears to be that e.g. no registers with sensible data are being stored?! What else is affected?

It might make sense to have a setting to disable unsetting "viminfo" altogether, or have a warning / dialog which asks the user about how to handle it.

Either way, the old value of 'viminfo' could get stored in a global var, making it easier to re-enable it.

I run into strange situation when my gpg via terminal worked (exactly the same command copied from the log) however the plugin failed to loaded with "Message could not be decrypted! (Press ENTER)".

The problem was in that the gpg worked but returned code 2 as it encounered on malformed GPG_AGENT_INFO variable and it would be really nice if I haven't spent two hours of gun-shot debugging to find this :-)

For me, when using console vim, the + and * registers don't show up with :reg or work with other programs with the "let &term = &term" line, added in commit bd3ebdf.

So copying text from external programs into the buffer, and vice versa doesn't work, the registers just act like the other character registers.

I don't have a clue why.

History
I am on archlinux. I had been running vim-gnupg smoothly in Gnome shell for at least 4 months. Last used 1 month back.
Yesterday I uninstalled gnome shell and installed KDE. During this process I also updated all the packages on the system.

Problem
.gpg files do not decrypt automatically. Gives the message "File is not encrypted, all GPG functions disabled"

gpg -d test.gpg
# asks for password
# shows the content of test.gpg

vim test.gpg
# shows gibberish with error message at the bottom.

I then updated the plugin to the latest version on git. Now, the error message isn't appearing. But the file is still not decrypted.

other info

• older files which were correctly being decrypted in the past aren't being decrypted now.
• files I create with vim-gnupg itself now aren't being decrypted either.

Is there anything I can do to debug this issue?

Update
I missed an important detail. During the switch to kde, I had to uninstall seahorse and replace it with ksshaskpass.

Hi,

I love you plugin. :) I just have one question, which I hope you can clarify. As far as I can tell from the source code and by checking 'set backup?', writing of backup files is not explicitly disabled by this plugin (unlike swap files, undo files and viminfo). On the other hand, when I edit a .gpg or .asc file, no backup seems to be created. I couldn't figure out what causes backup files not to be written, since 'nobackup' is not explicitly set by this plugin. Can you explain why no backup is created?

In my case, I would actually like to set nobackup, which I realize I could with an autocmd. Perhaps some people would like backups (as long as the backed up copy remains encrypted). Presently, this does not seem possible or, at least, it is not obvious to me how to do it.

When editing pillar files for Salt, these might contain encrypted information, e.g.

foo:
  api_key: |
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1

    …
    -----END PGP MESSAGE-----

It is possible to decrypt them by visually selecting the block, removing the indentation and then running :!gpg --decrypt 2>/dev/null, but that could be simplified by providing a wrapper command for this.

What do you think?

In the same vain, gpg --encrypt --armor might be provided as a command, although that usually requires you to specify a recipient key, but which will be asked for interactively.

I cannot move the cursor with arrow keys after opening a .gpg file.

How to reproduce :

echo "hello world" > foo
gpg -c foo

Enter passphrase twice. Then :

vim foo.gpg

It asks for the passphrase, enter it. Once the file is decrypted in vim, the arrow keys don't move the cursor anymore. If you click on the left arrow key, you will get the error message :

E388: Couldn't find definition

Environment :

CentOS 6.5 : 2.6.32-431.17.1.el6.x86_64

VIM - Vi IMproved 7.2 (2008 Aug 9, compiled Apr  5 2012 10:17:30)                                                                                                                                                                           
Included patches: 1-411                                                                                                                                                                                                                     
Modified by <[email protected]>                                                                                                                                                                                                           
Compiled by <[email protected]>                                                                                                                                                                                                           
Huge version without GUI.  Features included (+) or not (-):                                                                                                                                                                                
+arabic +autocmd -balloon_eval -browse ++builtin_terms +byte_offset +cindent                                                                                                                                                                
-clientserver -clipboard +cmdline_compl +cmdline_hist +cmdline_info +comments                                                                                                                                                               
+cryptv +cscope +cursorshape +dialog_con +diff +digraphs -dnd -ebcdic                                                                                                                                                                       
+emacs_tags +eval +ex_extra +extra_search +farsi +file_in_path +find_in_path                                                                                                                                                                
+float +folding -footer +fork() +gettext -hangul_input +iconv +insert_expand                                                                                                                                                                
+jumplist +keymap +langmap +libcall +linebreak +lispindent +listcmds +localmap                                                                                                                                                              
+menu +mksession +modify_fname +mouse -mouseshape +mouse_dec +mouse_gpm                                                                                                                                                                     
-mouse_jsbterm +mouse_netterm -mouse_sysmouse +mouse_xterm +multi_byte                                                                                                                                                                      
+multi_lang -mzscheme -netbeans_intg -osfiletype +path_extra +perl +postscript                                                                                                                                                              
+printer +profile +python +quickfix +reltime +rightleft -ruby +scrollbind                                                                                                                                                                   
+signs +smartindent -sniff +startuptime +statusline -sun_workshop +syntax                                                                                                                                                                   
+tag_binary +tag_old_static -tag_any_white -tcl +terminfo +termresponse                                                                                                                                                                     
+textobjects +title -toolbar +user_commands +vertsplit +virtualedit +visual                                                                                                                                                                 
+visualextra +viminfo +vreplace +wildignore +wildmenu +windows +writebackup                                                                                                                                                                 
-X11 -xfontset -xim -xsmp -xterm_clipboard -xterm_save                                                                                                                                                                                      
   system vimrc file: "/etc/vimrc"                                                                                                                                                                                                          
     user vimrc file: "$HOME/.vimrc"                                                                                                                                                                                                        
      user exrc file: "$HOME/.exrc"                                                                                                                                                                                                         
  fall-back for $VIM: "/usr/share/vim"                                                                                                                                                                                                      
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O2 -g -pipe -Wall  -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64  -D_FORTIFY_SOURCE=1    -D_REENTRANT -D_GNU_SOURCE  -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64  -I/usr/lib64/perl5/CORE  -I/usr/include/python2.6 -pthread                                                                                             
Linking: gcc   -Wl,-E -Wl,-rpath,/usr/lib64/perl5/CORE   -L/usr/local/lib -o vim       -lselinux  -lncurses -lacl -lgpm   -Wl,-E -Wl,-rpath,/usr/lib64/perl5/CORE  -fstack-protector  -L/usr/lib64/perl5/CORE -lperl -lresolv -lutil -lc -L/usr/lib64/python2.6/config -lpython2.6 -lutil -lm -Xlinker -export-dynamic

If I set :

:set term=xterm

the arrow keys work again. Maybe it comes from the passphrase popup in the terminal, because I've also tried in a full MATE GUI environement, and the popup asking for passphrase is a MATE graphical one (not in the terminal like in CentOS) and there is no issue with arrow keys afterwards.

Any clue ?

Editing an existing .asc file with vim correctly prompts for a passphrase and decrypt the file.

Trying to edit the same file through scp (using the vim scp:// syntax), opens the file as-is (i.e. without prompting for a passphrase and decrypting the file) in the top window of a horizontal split (the bottome window is blank). The top window seems to be expected to contain recipients.

I would like to know if there is something to do to decrypt the file on-the-fly, just like in the local edit case, or if there is a command I could type within Vim to decrypt the file after it is displayed encrypted.

Thanks!

I seem to get a spurious error about gpg-agent when using the plugin with vim-7.4, on both ubuntu and arch.

Using the latest (2.5) version released on vim.org:

Error detected while processing function <SNR>10_GPGDecrypt:
line   64:
E734: Wrong variable type for +=

Using the current version from master on github, the line number changes from 64 to 76 but is otherwise identical.

I did find issue #1, and verified that my bashrc is properly exporting $GPG_TTY, so this appears to be something different.

Everything seems to work just fine, the error is just an annoyance as it takes a second or two to disappear before the decrypted file appears in the buffer.

Hi,

I noticed another issue, namely that yanking to the system clipboard is not working. I am not sure if this is intentional or not? Since I store my passwords in a GPG encrypted file, I would like to yank the password to the system clipboard.

Note, when editing any unencrypted file, yanking to the clipboard (e.g "+yy to yank the current line) works without issue. I also tried :set viminfo=, :set noswapfile, :set noundofile when editing any unencrypted file to see if any of these options were causing the clipboard to stop working, but this does not seem to be the issue.

I am using KDE @ Debian/jessie and Vim in Konsole.

Hello,

I am able to encrypt files but I cannot decrypt them once encrypted.

I think the issue is related to the language gpg is running.

From the plugin, line 385 :

let asymmPattern = 'gpg: public key is ' . s:keyPattern

My gpg is running in french, so the output of the command is not what the plugin expects.

I would be glad to run gpg in english but I can't find a way to do so.

Anyone had the issue and knows a workaround ?

Thanks,

David

I have next recipe for NeoBundle

jamessan/vim-gnupg:
  description: Edit and save encrypted '*.gpg' files in-place
  external_commands: gpg
  augroup: GnuPG
  filename_patterns: ['\.gpg$', '\.asc$', '\.pgp$']
  lazy: 1

And corresponding part in vimrc

if neobundle#tap('vim-gnupg') "{{{
  fun! neobundle#hooks.on_post_source(bundle)
    silent! exe 'doautocmd GnuPG BufReadCmd'
  endf
  call neobundle#untap()
endif "}}}

So, I assumed that calling BufReadCmd will do the work. It seems not so, because on manual calling autocmd, instead of usual behaviour, only first several lines of encrypted text are rewritten (with exact decrypted text). And by using 'u' I can undo this text back to encrypted container -- which wierd.
Which steps I must manually do in on_post_source or on_source hooks to complete expected initialization of this plugin?

Reproduce:

• vim /nonexistentdir/foo.gpg
• Write stuff, add recipient.
• :wq
• Your stuff is gone.

Same when you :new /nonexistentdir/foo.gpg or the like. At least getting some warning would probably have saved me reproducing an hour of work 😃

Hello,
I have both - pineentry and gpg-agent but still I'm asked every time I open and save a gpg encrypted file. Can vim remember password in memory so it does not ask to type password twice on exit?

I'm using plugin from last commit - 419695d

There's a comment in gnupg.vim that reads,

noshelltemp isn't currently supported on Windows

But vim help for shelltemp shows,

Currently a pipe is only supported on Unix and MS-Windows 2K and later.  You can check it with:
    :if has("filterpipe")

I do see that shelltemp is set but don't fully understand why procmon shows that a temp file is always created anyway (I do have g:GPGUsePipes = 1). I was interested in this plugin because I have an SSD and can't easily wipe secure temp files like an HDD (you have to multi-pass wipe the entire drive's free space on an SSD).

I'm happy to fix and submit a PR but not understanding this fully and hoping maybe you can shed light on it. Since shelltemp is set regardless of the platform, shouldn't this work without creating temp files at all? Or are the temp files containing something else that is not the decrypted contents?

A command to encrypt the current buffer to the clipboard would be really helpful

I've noticed that when a .gpg buffer has changed outside of Vim (e.g. from another Vim instance with vim-gnupg), the buffer will be empty after :checktime and selecting to (L)oad the buffer anew.

W11: Warning: File "foo.txt.gpg" has changed since editing started                     
See ":help W11" for more info.                                                               
[O]K, (L)oad File:

I have some autocommands to trigger this automatically, but it also happens with them disabled and manually calling :checktime.

It does not happen always though, but e.g. when adding a new line to the top of the file.

When this happens the buffer contents looks garbled/encrypted already during the :checktime prompt.

I could not trigger it when using :e instead to reload the file.

Vim can browse the directory tree of a tarball so I can't help but wonder how cool it would be to end up with that scenario given the following:

$ vim foo.tar.gz.asc

At this time, the file is decrypted but then vim errors on the resulting foo.tar.gz

Error: Could not read uncompressed file

I noticed this started happening a few months ago, after a system upgrade (I'm on RHEL 6).

When I attempt to open an encrypted file in a terminal session, vim-gnupg gets as far as the pinentry-curses prompt box on my terminal, but then immediately exits the pinentry program, and leaves me in an empty buffer, with the message that the file cannot be decrypted.

I can open the file with vim from the command line and supply the passphrase via pinentry-gtk-2 when logged in to an X session, and I can decrypt the file manually with gpg in a terminal session; the pinentry-curses prompt shows as normal, and waits for me to press enter to submit my passphrase, then decrypt the file.

My GPG_TTY environment variable is correctly set when I try to decrypt a file.

So it appears to be some interaction between vim and pinentry-curses, where it is not waiting for pinentry-curses to return?

Let me know if you'd like me to supply debugging output; I did generate a GPGDebugLog, but it did not show anything beyond what I describe above.

thanks in advance.

Behavior is illustrated with the following scenario:

I have two files encrypted with gnupg: file1.gpg and file2.gpg.

file1.gpg has two recipients: myself and Bob.

file2.gpg has two recipients: myself and Alice.

I open file1.gpg in vim. In the same vim session, I open file2.gpg.

I switch to the file1.gpg buffer, make a change, and save it.

file1 now has three recipients: myself, Bob AND Alice.

In this scenario at least, the recipients list behaves like a global super-set of all buffers' recipients.

For some reason, my .vimrc is not sourced when I open .asc files using this plugin.
After disabling all other plugins and custom code, the problem persisted.

Any ideas on how I can identify the cause?

As mentioned in gnupg 2.1's announcement

• gpg: Removed the GPG_AGENT_INFO related code. GnuPG does now only
  use a fixed socket name in its home directory.

The check for whether to use --use-agent or --no-use-agent needs to be updated to reflect this.

Whenever I invoke vim in a tmux-256color terminal to edit a gnupg encrypted file it freezes, shows an empty window and does not react to any key press. I have to kill -KILL the process to get the terminal back.

Commenting out line 1363

let &term = &term

resolves that problem but I'm not sure what other side-effects that might have ....

When starting up, you get an error message in red reverse video saying "gpg-agent might not work." and then ... it works. This is especially evident when you edit a new empty file with a .asc suffix; the message holds on the status line.

AfC

I use a fancy colorscheme that need 256 colors and so II use "set t_Co=256" in my vimrc.

Somehow to get unset when I load a gpg file. I have to set it back manually to get the color from my scheme.

Any idea why?

Steps:

% echo Hello > test
% gpg --encrypt -r [email protected] test
% vim test.gpg

Contents in buffer (unreadable gibberish).

����^Ȝ3�������A
�"��f�����l���V$�w6�B�D�5B��Nݶ_����s�l���(���!h�
�z���WJ��j��,[=t��\-3��N����*sR��%������������3�S�g�(!����|�須�!q���'��┟���d�|��a���}�#�!��5��{f�:�����������r��u�6�)����0//�U�Y�C
$^���t��#�z��>���~r��ۚ�Y�����JbʐJ�$�bI��{��,�y��J���%�Q����E�lP��9���<:z�����   s=�T��n�WG�aNJ�ז6h�v���$��.�����1��k��.�tk�3�ЍK

Debug log:

GnuPG: >>>>>>>> Entering s:GPGInit(1)
GnuPG: gnupg.vim 2.5
GnuPG: shellredirsave: >%s 2>&1
GnuPG: shellsave: /bin/zsh
GnuPG: shelltempsave: 1
GnuPG: shell: /bin/sh
GnuPG: shellcmdflag: -c
GnuPG: shellxquote:
GnuPG: shellredir: >%s 2>&1
GnuPG: stderrredirnull: 2>/dev/null
GnuPG: shell implementation: /usr/bin/bash
GnuPG: command: LANG=C LC_ALL=C gpg --trust-model always --use-agent --version 2>/dev/null
GnuPG: rc: 0
GnuPG: output: gpg (GnuPG) 2.1.2^@libgcrypt 1.6.3^@Copyright (C) 2015 Free Software Foundation, Inc.^@License GPLv3+: GNU
GPL version 3 or later <http://gnu.org/licenses/gpl.html>^@This is free software: you are free to change and redistribute
it.^@There is NO WARRANTY, to the extent permitted by law.^@^@Home: /home/patrick/.config/gnupg^@Supported algorithms:^@Pu
bkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA^@Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,^@        CAMEL
LIA128, CAMELLIA192, CAMELLIA256^@Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224^@Compression: Uncompressed, ZIP, Z
LIB, BZIP2
GnuPG: public key algorithms: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
GnuPG: cipher algorithms: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
GnuPG: hashing algorithms: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
GnuPG: compression algorithms: Uncompressed, ZIP, ZLIB, BZIP2
GnuPG: <<<<<<<< Leaving s:GPGInit()
GnuPG: >>>>>>>> Entering s:GPGDecrypt(1)
GnuPG: command: LANG=C LC_ALL=C gpg --trust-model always --use-agent --verbose --decrypt --list-only --dry-run --batch --n
o-use-agent --logger-fd 1 '/home/patrick/test.gpg' 2>/dev/null
GnuPG: rc: 0
GnuPG: output: gpg: public key is 33868FEC
GnuPG: this file is asymmetric encrypted
GnuPG: recipient is 33868FEC
GnuPG: >>>>>>>> Entering s:GPGNameToID()
GnuPG: command: LANG=C LC_ALL=C gpg --trust-model always --use-agent --quiet --with-colons --fixed-list-mode --list-keys '
33868FEC' 2>/dev/null
GnuPG: rc: 0
GnuPG: output: tru:t:1:1427982702:1439805005:3:1:5^@pub:u:2048:1:75481C55CEC8925D:1376662444:1439805005::u:::scESC::::::^@
uid:u::::1409513761::FAAD99E657D009E66EE2B81F47D718CCBC2DE359::Patrick Brisbin <[email protected]>:^@uid:u::::1408269005:
:974B5C77A4F08DDF04E3FB513DCB1DA75F30F1E8::Patrick Brisbin <[email protected]>:^@sub:u:2048:1:C35EC89C33868FEC:1376662444
:1439805092:::::e::::::^@sub:u:4096:1:DB04E2CE780A17DE:1409514434:1441050434:::::s::::::
GnuPG: <<<<<<<< Leaving s:GPGNameToID()
GnuPG: name of recipient is 75481C55CEC8925D
GnuPG: called BufReadPre autocommand for test
GnuPG: decrypting file
GnuPG: command: silent r !LANG=C LC_ALL=C gpg --trust-model always --use-agent --quiet --decrypt '/home/patrick/test.gpg'
2>/dev/null
GnuPG: rc: 0
GnuPG: called BufReadPost autocommand for test
GnuPG: <<<<<<<< Leaving s:GPGDecrypt()

The file is valid, and the command works:

% LANG=C LC_ALL=C gpg --trust-model always --use-agent --quiet --decrypt '/home/patrick/test.gpg'
Hello

What am I doing wrong?