Why exactly does pinentry fails with gpg-agent and ssh support?
Hello everyone, I've recently encountered the problem explained in item #3 here: https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html and I would like to discuss it. I use the `systemd` user service provided with Arch Linux and it's `ExecStart` is: /usr/bin/gpg-agent --supervised I followed the recommended instructions on the official website and on the Arch Linux's wiki (https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) I also read the following bugs / threads: https://unix.stackexchange.com/questions/217737/pinentry-fails-with-gpg-agent-and-ssh https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851440 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854376 As far as I understand, because I use `systemd`'s user service, whenever I want to unlock an authentication key I need to run the command `gpg-connect-agent updatestartuptty /bye`. ## My question is this: The official documentation says: > SSH has no way to tell the gpg-agent what terminal or X display it is > running on. So when remotely logging into a box where a gpg-agent with > SSH support is running, the pinentry will get popped up on whatever > display the gpg-agent has been started. Perhaps it would be possible to create some kind of feature request / patch / merge request for ssh and enabling users to run this command before connecting to an ssh server? BTW I encountered a stackoverflow question on the subject that raises the same problem: https://stackoverflow.com/questions/32574142/can-i-set-up-a-before-hook-on-certain-ssh-hosts ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
Simon Kissane wrote: > (This is just a test key generated for testing purposes, so it is fine > to share it publicly.) Interesting "User ID" on that key: "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" I hope no one is foolish enough to import your key and run your script. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth wrote: > Simon Kissane wrote: >> (This is just a test key generated for testing purposes, so it is fine >> to share it publicly.) > > Interesting "User ID" on that key: > "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" > > I hope no one is foolish enough to import your key and run your script. Hi Zechariah, thank you for taking the time to have a look at this for me. It sounds like you are concerned that running my script may import some strange key into your GPG home. If you read the script, you will see that it creates two new GPG homes under a temporary directory, so no odd keys are going to be imported into your day-to-day GPG config. I realise the User ID is weird. To explain, in the use case I am working on we are only using GPG for file encryption/decryption using keys pre-agreed out of band. As such, we aren't actually using any of the PGP "web-of-trust" functionality, and the actual User IDs are rather irrelevant. Maybe we should just use S/MIME or CMS instead (and I'm looking into that option), but since we are already using GPG for this I was looking at how to possibly integrate our existing usage of GPG with an external key management system. That said, I have changed my key generation code to generate more normal looking User IDs, as you can see with this key: https://gist.github.com/skissane/a64756f32e62fbc5b51ee1f4eef22575 which has User ID: Test Key 123 And, if you run the new key against my script, you get the same error, showing that problem (whatever it is) isn't the User ID. (My reading of RFC4880 section 5.11 is that having an email in the User ID is just a convention not mandatory, so software should be robust in the face of User IDs breaking that convention.) Thank you Simon On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth wrote: > Simon Kissane wrote: >> (This is just a test key generated for testing purposes, so it is fine >> to share it publicly.) > > Interesting "User ID" on that key: > "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" > > I hope no one is foolish enough to import your key and run your script. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
On Mon, 22 Jan 2018 03:40, skiss...@medallia.com said: > showing that problem (whatever it is) isn't the User ID. (My reading of > RFC4880 > section 5.11 is that having an email in the User ID is just a convention not > mandatory, so software should be robust in the face of User IDs breaking that Correct. Actually, specifying a mail address with -r or --locate-key changes GnuPG's behaviour in that it tries to find the key in a configured online directory (by default WKD). >> "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" That is an acceptable user-id. I would have used a dot as delimiter but that is a personal taste. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpl_lUmolmKo.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why exactly does pinentry fails with gpg-agent and ssh support?
On Sun, 21 Jan 2018 17:41, doron.be...@gmail.com said: > As far as I understand, because I use `systemd`'s user service, whenever > I want to unlock an authentication key I need to run the command > `gpg-connect-agent updatestartuptty /bye`. Although I have no experience with the peculiarities of the --supervised mode, there is no need to run the updatestartuptty command. That command is only used to switch gpg-agent's default $DISPLAY and tty to the one active in the shell you run this command. This is required because the ssh-agent protocol has no way to tell gpg-agent (or ssh-agent) the DISPLAY/tty which shall be used to pop-up the Pinentry. Another problem with ssh is that ssh can't start gpg-agent on the the fly. Thus you need to make sure that gpg-agent has already been started when you use ssh. A way to ensure this is to run gpg -K which lists all your private keys and as a side-effects starts gpg-agent. You can also do gpg-connect-agent /bye because it exhibits the same side-effect. The suggested way to start gpg-agent for ssh is to use gpgconf --launch gpg-agent Salam-Shalom, Werner p.s. And the best solution would be to extended the ssh-agent protocol and openssh to allow starting of an arbitrary process and conveying some environment variables. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp4HSm2LlCqy.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
