Control: reassign 834399 gajim Control: retitle 834399 Gajim GnuPG improvements Control: tags 834399 + moreinfo Control: affects 834399 + gnupg
Hi Thorsten-- Thanks for the report, and for pointing out improvements that need to be made in Gajim's handling of OpenPGP. I'm documenting different problems with Gajim's use of GnuPG in this e-mail, some of which are related to using GnuPG version 2.1 itself, and others which appear to be common to the use of any version of GnuPG. I've tried to replicate your use case, and i'm assuming that you've configured some account on gajim to sign its presence indication with OpenPGP. To replicate it, i did: * created a new user account * ran gajim on it, to connect to a new xmpp account. * choose Edit»Accounts»select account»Personal Information»Choose Key This all worked fine -- i was able to select a key from my public keyring. I note here that the key selection dialog box has a "Key ID" column. This is not a good idea -- we shouldn't use key IDs anywhere. If gajim wants to provide a way to distinguish between keys for users who have multiple keys with the same exact User ID, you could add a "date created" column, which a normal user would be able to understand. for more details on the rationale for this, see: https://www.debian-administration.org/users/dkg/weblog/105 There is also a checkbox there labeled "Use GPG Agent", with tooltip text that says "If checked, Gajim will get the password from a GPG agent like Seahorse". It's not clear which password this refers to -- the password that protects the OpenPGP key, the password for some specific XMPP account, or something else. If it's only talking about a passphrase for OpenPGP key material, then when gpg is provided on the system by branch 2.1 or later (this can be tested with "gpg --version", for example), this checkbox should probably not be offered (and it should always be considered to be checked). If i have that box checked, then when i try to log back in, i get a dialog box with this message: > Your passphrase is incorrect > ---------------------------- > You configured Gajim to use OpenPGP agent, but there is no OpenPGP agent > running or it returned a wrong passphrase. > You are currently connected without your OpenPGP key. This message is wrong, because gpg-agent is indeed running. looking in the source for gajim, i see this associated with the following things: function handle_event_bad_gpg_passphrase event bad-gpg-passphrase class BadGPGPassphraseEvent it appears to be generated in this case by _send_first_presence, which deals with a failed initial attempt to sign the initial presence message. The initial attempt appears to fail because of an exception shown on stderr: Exception in thread Thread-12: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 754, in run self.__target(*self.__args, **self.__kwargs) File "/usr/share/gajim/src/common/gnupg.py", line 772, in _read_response result.handle_status(keyword, value) File "/usr/share/gajim/src/common/gnupg.py", line 628, in handle_status raise ValueError("Unknown status message: %r" % key) ValueError: Unknown status message: u'KEY_CONSIDERED' The list of status around line 612 of src/common/gnupg.py (in handle_status()) isn't complete. I also noticed that under Edit»Accounts»Local»Personal Information in the "OpenPGP" header, it says: OpenPGP is not usable on this computer This is wrong, since OpenPGP is clearly available for this account. So: please improve gajim's support for OpenPGP! The simplest way to do this for the 2.1 transition is probably just to make gajim Depend: gnupg (>= 2.1), strip out the checkboxes for gpg-agent, and assume that gajim will never directly handle any passphrases for GnuPG. Fixing the key selection dialog and clarifying the rationale for sending PGP-signed statuses would also be a bonus. Thorsten, i also noticed from your terminal transcript: > gpg: WARNING: server 'gpg-agent' is older than us (2.1.11 < 2.1.14) This is surprising to me, since gnupg 2.1.14-5 Depends: Depends: gnupg-agent (= 2.1.14-5). can you clarify this? Regards, --dkg
signature.asc
Description: PGP signature