tags 834399 - moreinfo thanks Daniel Kahn Gillmor dixit:
>Control: reassign 834399 gajim >Control: retitle 834399 Gajim GnuPG improvements >Control: tags 834399 + moreinfo >Control: affects 834399 + gnupg Please always Cc the maintainers of the package when reassigning, as debbugs does NOT do that. Full-quoting your comment (this mail ought to be delivered to the Gajim maintainers), my response to your question to me inline. >Thanks for the report, and for pointing out improvements that need to be >made in Gajim's handling of OpenPGP. I'm documenting different problems >with Gajim's use of GnuPG in this e-mail, some of which are related to >using GnuPG version 2.1 itself, and others which appear to be common to >the use of any version of GnuPG. > >I've tried to replicate your use case, and i'm assuming that you've >configured some account on gajim to sign its presence indication with >OpenPGP. Indeed. >To replicate it, i did: > > * created a new user account > * ran gajim on it, to connect to a new xmpp account. > * choose Edit»Accounts»select account»Personal Information»Choose Key > >This all worked fine -- i was able to select a key from my public >keyring. > >I note here that the key selection dialog box has a "Key ID" column. >This is not a good idea -- we shouldn't use key IDs anywhere. > >If gajim wants to provide a way to distinguish between keys for users >who have multiple keys with the same exact User ID, you could add a "date >created" column, which a normal user would be able to understand. > >for more details on the rationale for this, see: >https://www.debian-administration.org/users/dkg/weblog/105 Full disclosure common courtesy in such cases is to mention that the link is to an article you yourself wrote, and is no indepndent authority you cite — especially as not everyone will want to agree with you on all points (although you hear no complaint from me on this specific one). >There is also a checkbox there labeled "Use GPG Agent", with tooltip >text that says "If checked, Gajim will get the password from a GPG agent >like Seahorse". It's not clear which password this refers to -- the >password that protects the OpenPGP key, the password for some specific >XMPP account, or something else. > >If it's only talking about a passphrase for OpenPGP key material, then >when gpg is provided on the system by branch 2.1 or later (this can be >tested with "gpg --version", for example), this checkbox should probably >not be offered (and it should always be considered to be checked). > >If i have that box checked, then when i try to log back in, i get a >dialog box with this message: > > >> Your passphrase is incorrect >> ---------------------------- >> You configured Gajim to use OpenPGP agent, but there is no OpenPGP agent >> running or it returned a wrong passphrase. >> You are currently connected without your OpenPGP key. > >This message is wrong, because gpg-agent is indeed running. > > >looking in the source for gajim, i see this associated with the >following things: > > function handle_event_bad_gpg_passphrase > event bad-gpg-passphrase > class BadGPGPassphraseEvent > >it appears to be generated in this case by _send_first_presence, which >deals with a failed initial attempt to sign the initial presence >message. > >The initial attempt appears to fail because of an exception shown on >stderr: > >Exception in thread Thread-12: >Traceback (most recent call last): > File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner > self.run() > File "/usr/lib/python2.7/threading.py", line 754, in run > self.__target(*self.__args, **self.__kwargs) > File "/usr/share/gajim/src/common/gnupg.py", line 772, in _read_response > result.handle_status(keyword, value) > File "/usr/share/gajim/src/common/gnupg.py", line 628, in handle_status > raise ValueError("Unknown status message: %r" % key) >ValueError: Unknown status message: u'KEY_CONSIDERED' > > >The list of status around line 612 of src/common/gnupg.py (in >handle_status()) isn't complete. > >I also noticed that under Edit»Accounts»Local»Personal Information in >the "OpenPGP" header, it says: > > OpenPGP is not usable on this computer > >This is wrong, since OpenPGP is clearly available for this account. > >So: please improve gajim's support for OpenPGP! The simplest way to do >this for the 2.1 transition is probably just to make gajim Depend: gnupg >(>= 2.1), strip out the checkboxes for gpg-agent, and assume that gajim >will never directly handle any passphrases for GnuPG. Fixing the key >selection dialog and clarifying the rationale for sending PGP-signed >statuses would also be a bonus. > >Thorsten, i also noticed from your terminal transcript: > >> gpg: WARNING: server 'gpg-agent' is older than us (2.1.11 < 2.1.14) > >This is surprising to me, since gnupg 2.1.14-5 Depends: Depends: >gnupg-agent (= 2.1.14-5). can you clarify this? Yes, this is trivial: I have not yet rebooted (or logged out, killed all agents, and logged in again) since the upgrade. This never was a problem before, and, considering both gpg and gnupg2 can still use the running/old agent, looks like it’s still no problem, so the warning is silly at best. bye, //mirabilos -- If Harry Potter gets a splitting headache in his scar when he’s near Tom Riddle (aka Voldemort), does Tom get pain in the arse when Harry is near him? -- me, wondering why it’s not Jerry Potter………