Skip to content

Secret key decryption failed: Malformed MPI

I first encountered this issue with my main primary key (Certificate: 0xFB90812B62F8EDBF.sec.clear.gpg). The main primary key of the test key works.

Software used:

  • GnuPG 2.2.20 (Homebrew, May 2020) for creation of my personal key
  • GnuPG 2.4 (MacPorts, latest)
  • sequoia-sq 0.29 (from crate, with MacPorts cargo)

When using the attached secret test key without passphrase protection, everything works:

$ sq certify ./0xFB90812B62F8EDBF.sec.clear.gpg ./0x36756E1007853009.pub.asc "Tim Haase <timhaase@gmx.net>"

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
sq sign --signer-file ./0xFB90812B62F8EDBF.sec.clear.gpg ./message.txt

-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----
sq encrypt --recipient-file ./0xFB90812B62F8EDBF.pub.asc ./message.txt | sq decrypt --recipient-file ./0xFB90812B62F8EDBF.sec.clear.gpg

Encrypted using AES-256
Compressed using ZIP
Hello world!

Now, import the attached test key into GnuPG, add passphrase protection and reexport it:

$ gpg --homedir ./gnupg.temp --import ./0xFB90812B62F8EDBF.sec.clear.gpg
$ gpg --homedir ./gnupg.temp --passwd max@mustermann.de
$ gpg --homedir ./gnupg.temp --export-secret-keys 0xFB90812B62F8EDBF > ./0xFB90812B62F8EDBF.sec.gpg

Now, repeat the sq commands from above. Certification still works with this test key. It failed for my personal key with a similar error message as with signing (see below):

$ sq certify ./0xFB90812B62F8EDBF.sec.gpg ./0x36756E1007853009.pub.asc "Tim Haase <timhaase@gmx.net>"

Please enter password to decrypt 22C54E1126E3DB1D222DFF6DFB90812B62F8EDBF/22C54E1126E3DB1D222DFF6DFB90812B62F8EDBF: 
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

Now the signing:

$ sq sign --signer-file ./0xFB90812B62F8EDBF.sec.gpg ./message.txt

Please enter password to decrypt 22C54E1126E3DB1D222DFF6DFB90812B62F8EDBF/0A0A7D1E72F88D5A656D6AE859630A80BAA49FA1: 
thread 'main' panicked at 'decryption failed: Malformed MPI: leading bit is not set: expected bit 8 to be set in  1101000 (68)', ~/.cargo/registry/src/github.com-1ecc6299db9ec823/sequoia-sq-0.29.0/src/commands/mod.rs:144:30
stack backtrace:
   0:        0x101450086 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h6ae6bff14318b704
   1:        0x101469dfa - core::fmt::write::h072391c2938df059
   2:        0x10143111c - std::io::Write::write_fmt::h88fcf164d5e43745
   3:        0x10144fe60 - std::sys_common::backtrace::print::h335d3fd0c103876b
   4:        0x1014374e3 - std::panicking::default_hook::{{closure}}::hd84d4fd3324d0128
   5:        0x1014371d2 - std::panicking::default_hook::h141bffb40908b0d1
   6:        0x101437d51 - std::panicking::rust_panic_with_hook::h770b31c549b79e3e
   7:        0x101450794 - std::panicking::begin_panic_handler::{{closure}}::hddf7da8913935775
   8:        0x1014501e8 - std::sys_common::backtrace::__rust_end_short_backtrace::haa61a482c4c687d9
   9:        0x1014378ad - _rust_begin_unwind
  10:        0x10149b533 - core::panicking::panic_fmt::h208cfee7b750b4aa
  11:        0x10149b9a5 - core::result::unwrap_failed::h65874989211a1511
  12:        0x100ca8629 - sq::commands::get_keys::h981edca058d8e143
  13:        0x100e486af - sq::commands::sign::sign::h56e33ffe7cfd15d6
  14:        0x100e030e7 - sq::main::hb1f24b97446343e1
  15:        0x100c761d6 - std::sys_common::backtrace::__rust_begin_short_backtrace::hebc4a95cee5feae8
  16:        0x100c0e051 - std::rt::lang_start::{{closure}}::h6d73f0b9bfe4a7b8
  17:        0x1014358b4 - std::rt::lang_start_internal::h2789a7315774cae2
  18:        0x100e0f7ec - _main

And encryption:

$ sq encrypt --recipient-file ./0xFB90812B62F8EDBF.pub.asc ./message.txt | sq decrypt --recipient-file ./0xFB90812B62F8EDBF.sec.gpg

Enter password to decrypt key Max Mustermann <max@mustermann.de> (FB90812B62F8EDBF): 
Could not unlock key: Malformed MPI: leading bit is not set: expected bit 8 to be set in  1101110 (6e)
Enter password to decrypt key Max Mustermann <max@mustermann.de> (FB90812B62F8EDBF):

Apparently, gpg-agent and sequoia-sq disagree on how secret key material should be encoded during the protection process. I have no idea about the internals. The experts have to handle this. Also, gpg-agent still uses SHA-1 and AES-128 for secret key protection, which is not configurable.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information