Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
On Tue 2019-07-09 11:58:46 +0200, Emmanuel Revah wrote: > I've followed these steps carefully, on 2 computers, both on Debian > Buster, 64 bit. The only thing that seems logic to me is that there > might be an issue with pinentry-qt itself. > > If I remove all pinentry-* except for qt and clean gpg-agent.conf file > (remove pinentry conf) I get the error "ERR 67108949 No pinentry Agent>". > > Any combination of either, only having pinentry-qt installed, or the > config file pointing to it, will result in this error. this sounds very frustrating, i'm sorry to hear it. I just ran the following test that uses an empty GnuPG homedir: GNUPGHOME=$(mktemp -d) cat > "$GNUPGHOME/gpg-agent.conf" < I can use pinentry-qt to get a dialog window, it just does not work with > GPG in my case. > > If this isn't a bug (PEBKAC is always an option for me) or can't be > fixed, I will just use fltk or gtk2 and I'll be fine. If you'd like me > to try out more things, let me know. Could you try out the test above? Once you run it, if it gives you an error, could you look at $GNUPGHOME/gpg-agent.log ? --dkg signature.asc Description: PGP signature
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
Le 2019/06/27 17:41, Daniel Kahn Gillmor a écrit : On Thu 2019-06-27 10:28:43 +0200, Emmanuel Revah wrote: In .gnupg/gpg-agent.conf I went from "pinentry-program pinentry-qt" to "pinentry-program pinentry". "pinentry-program pinentry" is probably the same as no line at all (it is the default). I strongly recommend sticking with the simplest default configuration possible, so removing that line is good. I did have the full path (I tested both). I've removed it altogether now. [...] Is pinentry-gnome3 still installed? If you don't want a grab, it should not be installed. So: * You should have only pinentry-qt installed (and no other `pinentry-*` packages) * You should have no `pinentry-program` line in your gpg-agent.conf. * "readlink -f $(which pinentry)" should point to /usr/bin/pinentry-qt * You should terminate your running gpg-agent after making all of the above changes, with "gpgconf --kill gpg-agent" if all of these conditions are met, then the following should give you a QT-based, non-grabbing confirmation prompt: gpg-connect-agent 'GET_CONFIRMATION Hello' /bye I've followed these steps carefully, on 2 computers, both on Debian Buster, 64 bit. The only thing that seems logic to me is that there might be an issue with pinentry-qt itself. If I remove all pinentry-* except for qt and clean gpg-agent.conf file (remove pinentry conf) I get the error "ERR 67108949 No pinentry Agent>". Any combination of either, only having pinentry-qt installed, or the config file pointing to it, will result in this error. I installed pinentry-fltk and then pinentry-gtk2, and things work as expected. Even if I have multiple pinentry-* things installed, gpg-agent.conf is read and will use pinentry-fltk (or gtk2) as expected. If the config file doesn't have `pinentry`, then whatever `readlink -f $(which pinentry)` points to is used. This seems to be the expected way of behaving (install one or more pinentry programs, have a system default, override-able in user config). If this doesn't work for you, then something else is more seriously wrong, and i'd like to understand it better. I can use pinentry-qt to get a dialog window, it just does not work with GPG in my case. If this isn't a bug (PEBKAC is always an option for me) or can't be fixed, I will just use fltk or gtk2 and I'll be fine. If you'd like me to try out more things, let me know. Cheers, : ]
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
On Thu 2019-06-27 10:28:43 +0200, Emmanuel Revah wrote: > In .gnupg/gpg-agent.conf I went from "pinentry-program pinentry-qt" to > "pinentry-program pinentry". "pinentry-program pinentry" is probably the same as no line at all (it is the default). I strongly recommend sticking with the simplest default configuration possible, so removing that line is good. but note that pinentry-program expects the full path (e.g. /usr/bin/pinentry-qt), not the unadorned program name. I think that's an unnecessarily broken behavior that only gets in the way of debugging. i've just documented that concern upstream at https://dev.gnupg.org/T4588 (this is a separate issue from the current discussion, of course). > After each edition of that file, I did `killall gpg-agent`, You can also use "gpgconf --kill gpg-agent" > and to test (from Enigmail troubleshooting doc) : > > gpg-connect-agent < GET_CONFIRMATION Hello > EOT this can also be run as: gpg-connect-agent 'GET_CONFIRMATION Hello' /bye > I have to either comment out "pinentry-program" or set it to "pinentry" > and everything is back to "normal". > > I'm not sure where to go from here, for now, I can at least read emails > as usual. Is pinentry-gnome3 still installed? If you don't want a grab, it should not be installed. So: * You should have only pinentry-qt installed (and no other `pinentry-*` packages) * You should have no `pinentry-program` line in your gpg-agent.conf. * "readlink -f $(which pinentry)" should point to /usr/bin/pinentry-qt * You should terminate your running gpg-agent after making all of the above changes, with "gpgconf --kill gpg-agent" if all of these conditions are met, then the following should give you a QT-based, non-grabbing confirmation prompt: gpg-connect-agent 'GET_CONFIRMATION Hello' /bye If this doesn't work for you, then something else is more seriously wrong, and i'd like to understand it better. --dkg signature.asc Description: PGP signature
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
I managed to get things back to normal, perhaps this can help (at least someone). In .gnupg/gpg-agent.conf I went from "pinentry-program pinentry-qt" to "pinentry-program pinentry". After each edition of that file, I did `killall gpg-agent`, and to test (from Enigmail troubleshooting doc) : gpg-connect-agent
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
Thanks Daniel for the detailed explanations. I (apt) removed pinentry-gnome (and as you guessed, I already had pinentry-qt installed), and now Enigmail cannot open any encrypted emails, it displays the error message "GnuPG cannot query your passphrase via pinentry." I tried adding the option "pinentry-program /usr/bin/pinentry-qt" to .gnupg/gpg-agent.conf, which doesn't change anything. I then reinstalled pinentry-gnome which does not restore previous behaviour. I've no access to encrypted emails via Thunderbird for now. I will not be able to do much because I'm on a very bad connection for the next few days/week. cheers,
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
On Wed 2019-06-26 14:03:09 -0400, Daniel Kahn Gillmor wrote: > * gcr prefers to grab the desktop inputs, to avoid other > processes snooping on your password as it is typed. it's not clear sorry, this last sentence got cut off. it was: it's not clear to me how to use gcr in a non-system-modal (non-grabby) way. --dkg
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
Control: reassign 930062 pinentry-gnome3 Control: retitle 930062 pinentry-gnome3 grabs keyboard and mouse input despite --no-global-grab or 'OPTION no-grab' Control: forwarded 930062 https://dev.gnupg.org/T4587 Hi Emmanuel-- Thanks for the report! An explanation follows, along with some diagnostics and an upstream bug report. But as a caveat, i should warn you that i personally prefer the system-modal prompting, because as i understand it: a) it ensures that i don't accidentally type into another window when i think i'm typing in the prompter b) it keeps other X11 clients from sniffing the keyboard input All that said, there are still some weird bugs in here… On Thu 2019-06-06 12:44:30 +0200, Emmanuel Revah wrote: > I opened Thunderbird and selected an encrypted message. Or, I opened > Thunderbird and the first message on the list is encrypted. […] > A dialog window pops up and asks me to enter my gpg passphrase, and > takes over the desktop. […] > I expected to be able to leave that window on the side and use other > programs (Pidgin, volume control, etc). I can see other windows and > mouse actions seem to work, but anything keyboard related does not > work. I can navigate in Firefox, but I can't enter a new url, I can't > edit text in Vim or type something in Pidgin, but I can clock the > volume controle in the task bar The thing that's taking over your keyboard and mouse is pinentry. It's doing that because (sorry about the long chain here): * thunderbird wants to read a message * enigmail notices that the message is encrypted, and asks gpg to decrypt it * gpg notices that it is encrypted to a secret key, which it does not control directly, so it asks gpg-agent to use the secret key on its behalf * gpg-agent checks its passphrase cache and realizes that it doesn't have the a passphrase so it needs to ask the user by invoking pinentry * pinentry (implemented by pinentry-gnome3) in turn invokes gnome's gcr service via dbus, to prompt the user for a password. * gcr prefers to grab the desktop inputs, to avoid other processes snooping on your password as it is typed. it's not clear whew! Note that gpg-agent's configuration has a choice of "grab" and "no-grab", with "no-grab" being the default. This choice is (i believe) supposed to change whether pinentry receives the "OPTION no-grab" directive or "OPTION grab" (see https://salsa.debian.org/debian/gnupg2/blob/debian/master/agent/call-pinentry.c#L423 ) but that doesn't seem to have any effect on gcr, as tested by: printf 'OPTION no-grab\ngetpin\n' | pinentry-gnome3 Furthermore, pinentry-gnome3 appears to ignore its documented --no-global-grab option: printf getpin\n' | pinentry-gnome3 --no-global-grab still does a global grab. This is because gcr's prompting is by definition system modal, i think: https://developer.gnome.org/gcr/3.20/GcrSystemPrompt.html As a workaround, since you're using KDE and plasma anyway, you could try uninstalling pinentry-gnome3, but leaving pinentry-qt installed. This should make the system fall back to using pinentry-qt, which i believe doesn't have the same behavior. I've opened https://dev.gnupg.org/T4587 to try to address the contradictions between the documentation and behavior of pinentry-gnome3. --dkg signature.asc Description: PGP signature
Bug#930062: enigmail: Engimail decrypt-passphrase window takes control of desktop
Package: enigmail Version: 2:2.0.10+ds1-1 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I opened Thunderbird and selected an encrypted message. Or, I opened Thunderbird and the first message on the list is encrypted. * What was the outcome of this action? A dialog window pops up and asks me to enter my gpg passphrase, and takes over the desktop. * What outcome did you expect instead? I expected to be able to leave that window on the side and use other programs (Pidgin, volume control, etc). I can see other windows and mouse actions seem to work, but anything keyboard related does not work. I can navigate in Firefox, but I can't enter a new url, I can't edit text in Vim or type something in Pidgin, but I can clock the volume controle in the task bar I'm using KDE/Plasma, it seems this behaviour is also present on Gnome and possibly other desktops. Thanks for any possible help and/or explanations to help me understand what's up. :] -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages enigmail depends on: ii gnupg2.2.12-1 ii gnupg-agent 2.2.12-1 ii gpg-agent [gnupg-agent] 2.2.12-1 ii thunderbird 1:60.7.0-1 Versions of packages enigmail recommends: ii pinentry-gnome3 [pinentry-x11] 1.1.0-2 ii pinentry-qt [pinentry-x11] 1.1.0-2 enigmail suggests no packages. -- no debconf information
