Re: gpg-agent and X
On Thu, 26 Aug 2021 16:23, Klaus Ethgen said: > It seems that I have the problem all time I use the QT pinentry. The > gtk2 pinentry seems to be fine and with the switch to QT one, the Did you tried pinentry 1.2.0 which we released last week? FWIW, I am using xfce and had some problem with icons and thus also pinentry in the past. The solution was to set QT_QPA_PLATFORMTHEME=qt5ct in the environment and use one of the latest gnupg versons (2.2.30, 2.3.2). But Pinentry 1.2.0 should also work if icons are not accessible etc. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert: > On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated: > >Unfortunately, the gtk3 version of pinentry has some toxic dependencies > >that I never want to have. > > Would you be so kind as to list, and possibly explain, those toxic > dependencies? I just tested it right away, and there is no gtk3 build anymore in pinentry, it is only the gnome3 pinentry that can be build. And at least on gentoo, the pinentry-gnome3 is not working with X anymore. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert: > On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated: > >Unfortunately, the gtk3 version of pinentry has some toxic dependencies > >that I never want to have. > > Would you be so kind as to list, and possibly explain, those toxic > dependencies? At least some time ago, there was a dependencie to the full gnome world including gnome-keyring and systemd. I did not test it anymore since then. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated: >Unfortunately, the gtk3 version of pinentry has some toxic dependencies >that I never want to have. Would you be so kind as to list, and possibly explain, those toxic dependencies? -- Jerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi, I have an update for this issue. It seems that I have the problem all time I use the QT pinentry. The gtk2 pinentry seems to be fine and with the switch to QT one, the problem appears. Now I have the problem on debian and gentoo. Even more, a `gpg-connect-agent updatestartuptty /bye` over ssh connection does not work with pinentry-qt. Unfortunately, the gtk3 version of pinentry has some toxic dependencies that I never want to have. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Sa den 6. Mär 2021 um 16:32 schrieb Klaus Ethgen: > [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg in their software stack and so they say, that it is a usecase that is not supportet by them. It is a bit short thought. Their pinentry has a bug, that is triggered this way and they don't care. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi! I am not sure whether you already di this: Use a script like --8<---cut here---start->8--- #!/bin/sh MYPINENTRY="/foo/bar/pinentry-gtk-2" locale >/tmp/pinentry.err set >>/tmp/pinentry.err exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY -d "$@" 2>>/tmp/pinentry.err --8<---cut here---end--->8--- as pinetry replacement to get a better insight into the preblem. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
I created a bug ([0]) for gentoo. Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi, Am Fr den 5. Mär 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users: > The only thing I can think of to check is: have you selected > pinentry-qt5 using 'eselect'? Sure. That is all fine. ~> eselect pinentry list Available pinentry binary implementations: [1] pinentry-gnome3 [2] pinentry-qt5 * [3] pinentry-curses From Werner Koch, I enabled pinentry-debug, here are the results: 2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started 2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] no device present 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry The strange thing is, that /usr/bin/pinentry is absolutely correct: ~> ls -l /usr/bin/pinentry lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5 ~> ls -lL /usr/bin/pinentry -rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry The Environment looks good: ~> gpg-connect-agent 'getinfo std_session_env' /bye D GPG_TTY=/dev/pts/2 D TERM=xterm-256color D DISPLAY=localhost:10.0 OK And when logged from .xsession: D DISPLAY=:0 OK use flags: ~> equery u pinentry [ Legend : U - final flag setting for installation] [: I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/pinentry-1.1.0-r4: U I + + caps : Use Linux capabilities library to control privilege - - emacs : Add support for GNU Emacs - - gnome-keyring : Enable support for storing passwords via gnome-keyring + + gtk : Add support for x11-libs/gtk+ (The GIMP Toolkit) + + ncurses : Add ncurses support (console display library) + + qt5 : Add support for the Qt 5 application and UI framework ~> equery u app-crypt/gnupg [ Legend : U - final flag setting for installation] [: I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/gnupg-2.2.25: U I + + bzip2 : Use the bzlib compression library - - doc : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally - - ldap : Add LDAP support (Lightweight Directory Access Protocol) + + nls : Add Native Language Support (using gettext - GNU locale utilities) + + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants - - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to use scdaemon with gnupg and for example NitroKey. + + smartcard : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon. + + ssl : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) + + tofu : Enable support for Trust on First use trust model; requires dev-db/sqlite. + + tools : Install extra tools (including gpgsplit and gpg-zip). + + usb : Build direct CCID access for scdaemon; requires dev-libs/libusb. - - user-socket : try a socket directory which is not removed by init manager at session end So, the conclusion is: - Environment seems to be fine - pinentry is correct (and working as it work when I kill and restart the gpg-agent in xsession) - The error logged is strange for me, I have no idea what went wrong Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
That was a dead end. Even without libcap linkage, the pinentry does not work. Also the process capabilities of a manual started gpg-agent are the same. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Some further debuging of the capabilities:
pinentry(-qt) has no file capabilities, the process of gpg-agent has the
following:
~> getpcaps 27031
27031:
cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i
And in strace I find the following:
28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0},
{effective=1
Re: gpg-agent and X
On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote: > I have a my setup depending strongly on gpg-agent. For this, I preseed > some passphrases via pam_gnupg. > > While this setup work well on my Devuan machine, I have some troubles on > the Gentoo one, that I don't get solved. > > When the agent is started when I login via xdm (wdm), the agent does > never use X for displaying the pinentry. Even when `updatestartuptty` is > issued afterwards. As I use gpg-card even not everytime from the > console, I need that to display a X pinentry (currently the qt one, gtk > was preferred with gtk2 but the gtk3 one is horrible.) The only thing I can think of to check is: have you selected pinentry-qt5 using 'eselect'? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi Werner, Am Fr den 5. Mär 2021 um 15:59 schrieb Werner Koch: > On Fri, 5 Mar 2021 10:16, Klaus Ethgen said: > > > While this setup work well on my Devuan machine, I have some troubles on > > the Gentoo one, that I don't get solved. > > I am also using Devuan without problems. Did you used Devuan isn't the problem, it is Gentoo... > touch /var/lib/elogind/USERNAME > > to avoid elogin stealing the socket directory? I do not use elogind or any other logind. I do not like that concept and limit the amount of bloated pötterware on my system(s) to the absolute minimum. However, if it helps, there is a bug in gentoo ([0]) that is preventing the session registering. But I have the mentioned workaround in place. Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=716596 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
On Fri, 5 Mar 2021 10:16, Klaus Ethgen said: > While this setup work well on my Devuan machine, I have some troubles on > the Gentoo one, that I don't get solved. I am also using Devuan without problems. Did you used touch /var/lib/elogind/USERNAME to avoid elogin stealing the socket directory? > Anyone an idea, why it is not working correctly and why the agent is > refusing to accept the DISPLAY setting when started via pam? I have no idea. I don't know whether this is of any help, but you can gpg-connect-agent 'getinfo std_session_env' /bye to show the environment of a new session. If you run that in the context of PAM it might give a hint. Or use debug-pinetry in gpg-agent.conf which should also show the envars. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
