Fwd: GPGME status callback not working for need entropy
Resending with a compressed log file since it ended up way bigger than I expected. Forwarded Message Subject: Re: GPGME status callback not working for need entropy Date: Thu, 23 Aug 2018 16:54:13 -0400 From: Jacob Adams To: gnupg-users@gnupg.org On 08/22/2018 04:38 AM, Werner Koch wrote: > On Wed, 1 Aug 2018 21:28, tookm...@gmail.com said: >> generating a key without enough randomness, the whole application just >> locks up with no indication of what is happening. Is there anything else >> I could query to inform the user of what's occurring in this scenario? > > You need to install a progress callback. Something like: I have a progress callback installed but it's not reporting anything. My progress callback currently looks like this: def _progress(what, type, current, total, prog): if what == "primegen": prog.inc() else: _log.info(what+" "+type+" "+current+" "+total) if prog.gk.redraw: prog.screen.finish() prog.screen = newt.Screen() prog.recreate() (_log is a Logger that logs to a file, and prog is a progress bar I setup earlier) But I don't have anything logged when the application runs out of entropy. The progress callback is simply not called as far as I can tell. So I was hoping I could maybe get something out of status, but I guess not. Any idea why progress wouldn't be called? I've captured a GPGME debug log from an affected system and attached it below. It seems _gpgme_io_select is just waiting on some file descriptor, probably for randomness that never arrives. This same test system completely locked up on shutdown and had to be forced off. Not sure if that's related but seems likely. Thanks, Jacob gpgme.log.gz Description: application/gzip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGME status callback not working for need entropy
I've been trying to use the GPGME status callback to get an indication of when the system is low on entropy, but I don't seem to get a callback when such an even occurs. I've enabled full status and I get Pinentry Launched status messages, so it seems to sort of be working. When generating a key without enough randomness, the whole application just locks up with no indication of what is happening. Is there anything else I could query to inform the user of what's occurring in this scenario? Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Second unexplained pinentry when generating subkeys with GPGME
When generating a new GPG master key and some subkeys with GPGME I noticed some odd behavior. I get a second passphrase pinentry when generating the first subkey and I don't know why. I initially thought it was for creating the automatic revocation certificate, as it doesn't seem to happen if I suppress the creation of the automatic one by generating my own directly. However, the revocation certificate exists before these passphrase prompts. Does any know what might be happening here? Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME python bindings query
(Redirecting to -users since that seems more appropriate) On 07/12/2018 10:42 PM, Ben McGinnes wrote: > On Tue, Jul 10, 2018 at 01:01:10PM -0400, Jacob Adams wrote: >> I would prefer to use the automatically generated certificate as it >> also comes with some useful explanation text, but the problem I'm >> having is that there is no way to trigger this generation from GPGME >> and it appears to happen whenever you generate your first subkey (or >> perhaps your first signing subkey, haven't dug that much into it). > > It's generated with the certification key and this comment indicates > there may be a little misunderstanding about the revocation > certificate. It's used to revoke an entire key, including subkeys and > it does this by the simple expedient of revoking the certification > key. Once the certification key is revoked, the certification > signatures can't be validated without throwing the disabled key errors > which prevent the subkeys from being used. > > So even if subkeys are added later, there are no additional revocation > certificates generated for the subkeys. Which is why you'll find .rev > files in $GNUPGHOME/openpgp-revocs.d/ directory matching the > fingerprint of the primary key, but nothing for the subkeys; while the > $GNUPGHOME/private-keys-v1.d/ is populated with multiple .key files > matching the keygrips for all the keys and subkeys generated. > Oh ok that makes a lot more sense now! Most of what I know about GPG is just picked up from random Internet tutorials of dubious quality so I end up with a very spotty understanding of how all this works. Thank you for the clear overview. >> and a random extra password prompt > > There are no random extra password prompts, they're all necessary for > a secure system. Sorry random was the wrong word here. I meant only that the generation of this revocation certificate seems to happen later than I would expect. (Actually I was entirely wrong here about the order of events anyway, see below.) > >> for the revocation certificate that I can't control doesn't really >> help there. If there's some way I could manually trigger this >> process that would be great. > > It should have already occurred when the key was first generated. The > only time it needs to be done manually is when issuing a specific > revocation certificate with a less generic revocation reason or if the > key was generated with an older version of GPG that did not generate > such a certificate by default. > When I don't generate my own revocation certificate, I get a second password prompt when generating the first subkey. I had been assuming that this was for the revocation certificate, but some testing confirms that the certificate already exists before this. I'm still not sure why I would be getting a second prompt however. Any ideas? Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN
On 07/04/2018 01:23 PM, Werner Koch wrote: > Hi! > > Are you setting the homedir in your code also for the Assuan context? > That might explain the behaviour. I had been manually setting the Assuan context's homedir to ~/.gnupg by accident (Was originally using a temporary directory, but that caused all kinds of issues). Setting it to NULL instead appears to have fixed the problem. Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN
On 06/29/2018 07:45 PM, Jacob Adams wrote:
> On 06/27/2018 04:50 PM, Jacob Adams wrote:
>> I've got another pinentry problem unfortunately.
>> The tty is owned by the correct user this time and $GPG_TTY is set
>> correctly.
>>
>> I have two gpgme contexts, one for openpgp and another for assuan
>> commands to the smartcard. Pinentry triggered by the openpgp context
>> works perfectly, but any pinentry launched in service of the assuan
>> context fails with the error in the subject. They're both using the same
>> gpg-agent launched shortly after the creation of the openpgp context
>> with gpgconf --launch gpg-agent.
>>
>> The relevant logs are available at:
>> https://salsa.debian.org/tookmund-guest/pgpcr/issues/10
>>
> It appears that tty_name is not being set, despite the fact that GPG_TTY
> is set and thus gpg-agent has this information from the previous Context.
>
>> I'm really not sure what's going wrong here and any insight would be
>> much appreciated.
I have a solution for this but it's definitely the wrong solution.
I've applied the following patch to pinentry to fix this problem:
--- a/pinentry/pinentry-curses.c
+++ b/pinentry/pinentry-curses.c
@@ -1187,7 +1187,8 @@
alarm (pinentry->timeout);
}
#endif
-
+ if (pinentry->ttyname == NULL)
+pinentry->ttyname = getenv("GPG_TTY");
rc = dialog_run (pinentry, pinentry->ttyname, pinentry->ttytype);
do_touch_file (pinentry);
return rc;
Clearly this is not the right approach as it appears that gpg-agent is
supposed to handle the GPG_TTY variable. For some reason, it is simply
not passing it on to pinentry in this one case.
I've tried to reproduce this issue in a separate program but have been
unsuccessful. However it's consistently reproducible without this patch
in my program. Does anyone have an insight into why this patch would be
required?
Thanks,
Jacob
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating NIST/Brainpool subkeys with GPGME
On 07/02/2018 02:37 AM, Werner Koch wrote: > On Fri, 29 Jun 2018 22:07, tookm...@gmail.com said: >> It appears that one cannot currently generate NIST or Brainpool subkeys >> with GPGME. Using GPG itself works fine with --expert, so am I missing >> an option or is this simply not possible yet? > > That is likely a bug. > In contrast to the cv25519 and ed25519 curves this > (and the NIST curves) > don't have an implict algorithm. Thus gpg tries to deduce this from the > usage parameter but that seems not to work. Should I file a bug against GPGME? GPG? Not really sure where the problem is here. > What you hsould do is to > make it explicit: > > ./eccsubkeys brainpoolP384r1/ecdsa sign Some testing confirms that I just need to add "/ecdsa" when creating a signing or authentication key. Thanks for your help! Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN
On 06/27/2018 04:50 PM, Jacob Adams wrote:
> I've got another pinentry problem unfortunately.
> The tty is owned by the correct user this time and $GPG_TTY is set
> correctly.
>
> I have two gpgme contexts, one for openpgp and another for assuan
> commands to the smartcard. Pinentry triggered by the openpgp context
> works perfectly, but any pinentry launched in service of the assuan
> context fails with the error in the subject. They're both using the same
> gpg-agent launched shortly after the creation of the openpgp context
> with gpgconf --launch gpg-agent.
>
> The relevant logs are available at:
> https://salsa.debian.org/tookmund-guest/pgpcr/issues/10
>
I've now done a bit of poking around into this.
Attached is the patch I used to try and get some information out of
pinentry-curses.
It appears that tty_name is not being set, despite the fact that GPG_TTY
is set and thus gpg-agent has this information from the previous Context.
> I'm really not sure what's going wrong here and any insight would be
> much appreciated.
The above is still definitely true.
Thanks,
Jacob
--- a/pinentry/pinentry-curses.c
+++ b/pinentry/pinentry-curses.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -820,6 +821,16 @@
dialog_run (pinentry_t pinentry, const char *tty_name, const char *tty_type)
{
int confirm_mode = !pinentry->pin;
+ FILE *log = fopen("/tmp/pinentry-curses.log", "a");
+ if (log == NULL)
+ {
+pinentry->specific_err = gpg_error_from_syserror ();
+pinentry->specific_err_loc = "log_setup";
+return confirm_mode? 0 : -1;
+ }
+ fputs("Pinentry\n", log);
+ fprintf(log, "TTY Name: %s\nTTY Type: %s\n", tty_name, tty_type);
+ fprintf(log, "Title: %s\nDescription: %s\n", pinentry->title,
pinentry->description);
struct dialog diag;
FILE *ttyfi = NULL;
FILE *ttyfo = NULL;
@@ -853,6 +864,7 @@
pinentry->specific_err_loc = "open_tty_for_read";
return confirm_mode? 0 : -1;
}
+ fputs("Open TTY for reading\n", log);
ttyfo = fopen (tty_name, "w");
if (!ttyfo)
{
@@ -863,15 +875,19 @@
pinentry->specific_err_loc = "open_tty_for_write";
return confirm_mode? 0 : -1;
}
+ fputs("Open TTY for writing\n", log);
screen = newterm (tty_type, ttyfo, ttyfi);
set_term (screen);
+ fputs("Setup screen\n", log);
}
else
{
if (!init_screen)
{
+ fputs("No init screen\n", log);
if (!(isatty(fileno(stdin)) && isatty(fileno(stdout
{
+ fputs("ENOTTY\n", log);
errno = ENOTTY;
pinentry->specific_err = gpg_error_from_syserror ();
pinentry->specific_err_loc = "isatty";
@@ -879,6 +895,7 @@
}
init_screen = 1;
initscr ();
+ fputs("Setup ncurses\n", log);
}
else
clear ();
@@ -921,10 +938,11 @@
}
}
refresh ();
-
+fputs("Create dialog\n", log);
/* Create the dialog. */
if (dialog_create (pinentry, &diag))
{
+ fputs("Failed to create dialog\n", log);
/* Note: pinentry->specific_err has already been set. */
endwin ();
if (screen)
@@ -951,6 +969,7 @@
do
{
+ fputs("Made it to event loop\n", log);
int c;
c = wgetch (stdscr); /* Refresh, accept single keystroke of input.
*/
--- a/curses/pinentry-curses.c
+++ b/curses/pinentry-curses.c
@@ -34,8 +34,17 @@
int
main (int argc, char *argv[])
{
+ FILE *log = fopen("/tmp/pinentry-args.log", "a");
+ if (log == NULL)
+ {
+ return 1;
+ }
+ fputs("Begin Pinentry\n", log);
pinentry_init ("pinentry-curses");
-
+ for (int i = 0; i < argc; i++)
+ {
+ fprintf(log, "%d: %s\n", i, argv[i]);
+ }
pinentry_parse_opts (argc, argv);
if (pinentry_loop ())
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Generating NIST/Brainpool subkeys with GPGME
It appears that one cannot currently generate NIST or Brainpool subkeys
with GPGME. Using GPG itself works fine with --expert, so am I missing
an option or is this simply not possible yet?
I've attached a simple test program and the output I get on my machine
is below:
./eccsubkeys rsa1024
GPGME Version: 1.11.1
GPG Version: 2.2.8
Master: 2D14FBF15919954E4334D451C67CB3237C3CFFF4
Signing: A8B50168D9051846A570445A5DD5249F5CD0825F
Encryption: F8D8B9A453E5A7E98F44CC029F8450A1638414BE
Authentication: 866E75EDC8BDEB4B5A4DBD62865FAF7AB6DE6367
./eccsubkeys nistp384
GPGME Version: 1.11.1
GPG Version: 2.2.8
Master: 27A05F867C37442B675CFC1B9C647EA952B0D156
GPGME: General error
./eccsubkeys brainpoolP384r1
GPGME Version: 1.11.1
GPG Version: 2.2.8
Master: 26B2C8D94AD12A160262C82FED06C709E119D584
GPGME: General error
Thanks,
Jacob
#define _POSIX_C_SOURCE 200809L
#include
#include
#include
int main(int argc, char **argv)
{
if (argc < 2)
{
puts("Need algorithm!");
return 1;
}
const char *version = gpgme_check_version(NULL);
printf("GPGME Version: %s\n", version);
gpgme_ctx_t ctx;
gpgme_error_t err = gpgme_new(&ctx);
if (!err)
{
char template[] = "/tmp/gnupg.XX";
char *homedir = mkdtemp(template);
gpgme_engine_info_t eng = gpgme_ctx_get_engine_info(ctx);
printf("GPG Version: %s\n", eng->version);
err = gpgme_ctx_set_engine_info(ctx, GPGME_PROTOCOL_OPENPGP,
eng->file_name, homedir);
if (!err)
{
gpgme_genkey_result_t result;
err = gpgme_op_createkey(ctx, "test ", argv[1],
0, 0, NULL, GPGME_CREATE_CERT);
if (!err)
{
result = gpgme_op_genkey_result(ctx);
printf("Master: %s\n", result->fpr);
err = gpgme_op_keylist_start(ctx, "", 1);
if (!err)
{
gpgme_key_t key;
err = gpgme_op_keylist_next(ctx, &key);
if (!err)
{
err = gpgme_op_createsubkey(ctx, key, argv[1], 0, 0,
GPGME_CREATE_SIGN);
if (!err)
{
result = gpgme_op_genkey_result(ctx);
printf("Signing: %s\n", result->fpr);
err = gpgme_op_createsubkey(ctx, key, argv[1], 0,
0, GPGME_CREATE_ENCR);
if (!err)
{
result = gpgme_op_genkey_result(ctx);
printf("Encryption: %s\n", result->fpr);
err = gpgme_op_createsubkey(ctx, key, argv[1],
0, 0, GPGME_CREATE_AUTH);
if (!err)
{
result = gpgme_op_genkey_result(ctx);
printf("Authentication: %s\n", result->fpr);
}
}
}
}
}
}
}
}
if (err)
{
const char *strerror = gpgme_strerror(err);
const char *strsource = gpgme_strsource(err);
fprintf(stderr, "%s: %s\n", strsource, strerror);
return 2;
}
return 0;
}
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Pinentry: Inappropriate ioctl for device when getting smartcard PIN
I've got another pinentry problem unfortunately. The tty is owned by the correct user this time and $GPG_TTY is set correctly. I have two gpgme contexts, one for openpgp and another for assuan commands to the smartcard. Pinentry triggered by the openpgp context works perfectly, but any pinentry launched in service of the assuan context fails with the error in the subject. They're both using the same gpg-agent launched shortly after the creation of the openpgp context with gpgconf --launch gpg-agent. The relevant logs are available at: https://salsa.debian.org/tookmund-guest/pgpcr/issues/10 I'm really not sure what's going wrong here and any insight would be much appreciated. Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry: Permission Denied
On 06/03/2018 07:22 PM, gn...@raf.org wrote: > Jacob Adams wrote: > >> I've been getting the occasional "Pinentry: Permission Denied" error >> when generating new keys with GPGME and leaving pinentry to get the >> password instead of passing it directly (passphrase=True with the python >> bindings). Typically a reboot will fix it but it's rather odd. >> >> I've attached a couple logs. If there's something else I should be >> logging to catch this error, please let me know. >> >> Any ideas on what might be causing this? >> A reboot usually fixes it but it's quite annoying. >> >> Thanks, >> Jacob > > it might be permissions on /dev/tty (which looks to be /dev/tty1 > from the debugging output). did you su/sudo to another user? That seems to be it. I was overriding getty and launching my own service as a non-root user and tty1 was still owned by root I've fixed permissions on the tty in ExecPreStart and haven't seen a pinentry error since. https://salsa.debian.org/tookmund-guest/pgpcr/blob/master/debian/pgp-clean-room.service Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Pinentry: Permission Denied
I've been getting the occasional "Pinentry: Permission Denied" error when generating new keys with GPGME and leaving pinentry to get the password instead of passing it directly (passphrase=True with the python bindings). Typically a reboot will fix it but it's rather odd. I've attached a couple logs. If there's something else I should be logging to catch this error, please let me know. Any ideas on what might be causing this? A reboot usually fixes it but it's quite annoying. Thanks, Jacob 2018-06-01 19:51:31 gpg-agent[1025] listening on socket '/tmp/pgpcrgx21eh8y/S.gpg-agent' 2018-06-01 19:51:31 gpg-agent[1025] listening on socket '/tmp/pgpcrgx21eh8y/S.gpg-agent.extra' 2018-06-01 19:51:31 gpg-agent[1025] listening on socket '/tmp/pgpcrgx21eh8y/S.gpg-agent.browser' 2018-06-01 19:51:31 gpg-agent[1025] listening on socket '/tmp/pgpcrgx21eh8y/S.gpg-agent.ssh' 2018-06-01 19:51:31 gpg-agent[1026] gpg-agent (GnuPG) 2.1.18 started 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK Pleased to meet you, process 1023 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- RESET 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- OPTION ttyname=/dev/tty1 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- OPTION ttytype=linux 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- GETINFO version 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> D 2.1.18 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- OPTION allow-pinentry-notify 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- OPTION agent-awareness=2.1.0 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- RESET 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> OK 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- GENKEY 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> S INQUIRE_MAXLEN 1024 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> INQUIRE KEYPARAM 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- D (genkey(rsa(nbits 4:4096))) 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- END 2018-06-01 19:51:32 gpg-agent[1026] starting a new PIN Entry 2018-06-01 19:51:32 gpg-agent[1026] DBG: connection to PIN entry established 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> INQUIRE PINENTRY_LAUNCHED 1028 curses 1.0.0 ? ? ? 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- END 2018-06-01 19:51:32 gpg-agent[1026] DBG: error calling pinentry: Permission denied 2018-06-01 19:51:32 gpg-agent[1026] command 'GENKEY' failed: Permission denied 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 -> ERR 83918849 Permission denied 2018-06-01 19:51:32 gpg-agent[1026] DBG: chan_9 <- [eof] GPGME 2018-06-01 19:48:48 <0x02c6> gpgme_debug: level=9 GPGME 2018-06-01 19:48:48 <0x02c6> gpgme_check_version: call: 0=(nil), req_version=(null), VERSION=1.11.1 GPGME 2018-06-01 19:48:48 <0x02c6> gpgme_check_version_internal: call: 0=(nil), req_version=(null), offset_sig_validity=32 GPGME 2018-06-01 19:51:27 <0x02c6> gpgme_new: enter: r_ctx=0xfbf768 GPGME 2018-06-01 19:51:27 <0x02c6> gpgme-dinfo: gpgconf='/usr/bin/gpgconf' GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_pipe: enter: filedes=0xbfe1fffc, inherit_idx=1 (GPGME uses it for reading) GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_pipe: leave: read=0x5, write=0x6 GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: enter: path=0xf6c128, path=/usr/bin/gpgconf GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: check: path=0xf6c128, argv[ 0] = /usr/bin/gpgconf GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: check: path=0xf6c128, argv[ 1] = --list-dirs GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: check: path=0xf6c128, fd[0] = 0x6 -> 0x1 GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: check: path=0xf6c128, waiting for child process pid=1010 GPGME 2018-06-01 19:51:27 <0x03f3> gpgme:max_fds: call: 0=(nil), max fds=7 (/proc) GPGME 2018-06-01 19:51:27 <0x02c6> _gpgme_io_close: enter: fd=0x6 GPGME 2018-06-01 19:51:27 <0x02c6> _gpgme_io_close: leave: result=0 GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_spawn: leave: result=0 GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: enter: fd=0x5, buffer=0xbfe2003c, count=1023 GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: check: 737973636f6e6664 69723a2f6574632f sysconfdir:/etc/ GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: check: 676e7570670a6269 6e6469723a2f7573 gnupg.bindir:/us GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: check: 722f62696e0a6c69 6265786563646972 r/bin.libexecdir GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: check: 3a2f7573722f6c69 622f676e7570670a :/usr/lib/gnupg. GPGME 2018-06-01 19:51:27 <0x02c6>_gpgme_io_read: check: 6c69626469723a2f 7573722f6c69622f libdir:/usr/lib
Re: Problem signing git commits with smartcard key
On 05/31/2018 10:12 AM, koo...@spacekookie.de wrote: > Hey there, > > I have a yubikey 4 that contains my GPG key. I can use the `gpg2` tool to > sign messages without problems. But when I try to do the same with git, it > fails. The command that git runs internally is equivalent to this: > > echo "This is a stream from git..." | gpg2 --status-fd=2 -bsau > 555F2E4B6F87F91A4110669E90734A9E619C8A6C > > Which outputs the following error: > > [GNUPG:] KEY_CONSIDERED 555F2E4B6F87F91A4110669E90734A9E619C8A6C 0 > [GNUPG:] BEGIN_SIGNING H8 > gpg: signing failed: Invalid ID > [GNUPG:] FAILURE sign 100663414 > gpg: signing failed: Invalid ID I think this is simply because you have the wrong key id in your command (Thus "Invalid ID"). Assuming that the key on hkps.pool.sks-keyservers.net is correct, your key id should be 9F18A093CF65F938E4C8EFA429E057516FE1BBF3, not 555F2E4B6F87F91A4110669E90734A9E619C8A6C Hope this helps, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME export secret subkeys
On 05/30/2018 02:00 PM, Werner Koch wrote:
> On Wed, 30 May 2018 17:22, tookm...@gmail.com said:
>> GPGME has export and import functions that work well as alternatives to
>> "gpg --import" and "gpg --export". However, looking through the
>> documentation I cannot find an equivalent to "gpg
>> --export-secret-subkeys". Have I missed something, or does such
>> functionality not yet exist?
>
> GPGME does not support all features of gpg; that is to avoid creating a
> too baroque API. If you need this you can resort to the gpgme_op_spawn
> API.
Ah ok thank you. That's definitely more sensible than having a function
for everything.
> For example here is how we make sure in GPA that the gpg-agent is
> started (required for direct smartcard operations).
>
>
> --8<---cut here---start->8---
> void
> gpa_start_agent (void)
> {
> gpg_error_t err;
> gpgme_ctx_t ctx;
> char *pgm;
> const char *argv[3];
>
> pgm = get_gpg_connect_agent_path ();
> if (!pgm)
> {
> g_message ("tool to start the agent is not available");
> return;
> }
>
> ctx = gpa_gpgme_new ();
> gpgme_set_protocol (ctx, GPGME_PROTOCOL_SPAWN);
> argv[0] = ""; /* Auto-insert the basename. */
> argv[1] = "NOP";
> argv[2] = NULL;
> err = gpgme_op_spawn (ctx, pgm, argv, NULL, NULL, NULL,
> GPGME_SPAWN_DETACHED);
> if (err)
> g_message ("error running '%s': %s", pgm, gpg_strerror (err));
> g_free (pgm);
> gpgme_release (ctx);
> }
> --8<---cut here---end--->8---
>
> You need to adjust it for your needs; for example the first fucntion
> call should be get_gpg_path which can be implemented this way:
>
> --8<---cut here---start->8---
> static const gchar *
> get_gpg_path (void)
> {
> gpgme_engine_info_t engine;
>
> gpgme_get_engine_info (&engine);
> while (engine)
> {
> if (engine->protocol == GPGME_PROTOCOL_OpenPGP)
> return engine->file_name;
> engine = engine->next;
> }
> return NULL;
> }
> --8<---cut here---end--->8---
>
I'm using the python bindings and actually having a bit of trouble with
op_spawn. I've fallen back on setting GNUPGHOME and calling python's
subprocess.run which pretty much does the same thing.
The simple test case attached fails for me with:
Traceback (most recent call last):
File "/tmp/opspawn.py", line 7, in
ctx.op_spawn(gpgbin, ['', '--version'], None, out, None, 0)
File "/usr/local/lib/python3.6/dist-packages/gpg/core.py", line 151,
in wrapper
return _funcwrap(self, *args)
File "/usr/local/lib/python3.6/dist-packages/gpg/core.py", line 132,
in _funcwrap
result = func(slf.wrapped, *args)
File "/usr/local/lib/python3.6/dist-packages/gpg/gpgme.py", line 2267,
in gpgme_op_spawn
return _gpgme.gpgme_op_spawn(ctx, file, argv, datain, dataout,
dataerr, flags)
TypeError: in method 'gpgme_op_spawn', argument 5 of type 'gpgme_data_t'
Like I said it's not really a problem since I'm using subprocess but I
thought I should report it nonetheless.
Thanks,
Jacob
import gpg, os
ctx = gpg.Context()
gpgbin = ctx.engine_info.file_name
ctx.set_protocol(gpg.constants.PROTOCOL_SPAWN)
out = gpg.Data()
ctx.op_spawn(gpgbin, ['', '--version'], None, out, None, 0)
out.seek(0, os.SEEK_SET)
d = out.read()
print(d)
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGME export secret subkeys
GPGME has export and import functions that work well as alternatives to "gpg --import" and "gpg --export". However, looking through the documentation I cannot find an equivalent to "gpg --export-secret-subkeys". Have I missed something, or does such functionality not yet exist? Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGME progress callback no current or total
I was testing the progress callback of GPGME in python and got some
strange results.
I'm using GPGME v1.11.1
$ cat progresstest.py
import gpg, tempfile
# Borrowed from callbacks.py
def progress_stdout(what, type, current, total, hook=None):
print("PROGRESS UPDATE: what = %s, type = %d, current = %d, total = %d"
%\
(what, type, current, total))
tmp = tempfile.TemporaryDirectory()
ctx = gpg.Context(home_dir=tmp.name)
ctx.set_progress_cb(progress_stdout)
ctx.create_key("Test ", algorithm="rsa4096")
$ python3 progresstest.py
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 46, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
PROGRESS UPDATE: what = primegen, type = 43, current = 0, total = 0
Aren't current and total supposed to indicate progress? Why might they
be zero?
Thanks,
Jacob
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smartcards and GPGME
On 05/14/2018 02:02 AM, Andre Heinecke wrote: > Hi, > > On Sunday, May 13, 2018 6:26:04 PM CEST Jacob Adams wrote: >> As part of a program I'm writing this summer for GSoC, I'd like to be >> able to both move gpg private keys to a smartcard and generate keys on >> the smartcard from an application. While this can be done from gpg, it >> doesn't look like I can do so from GPGME or any other wrappers that >> exist. Have I missed something or is this simply not possible yet? >> >> While I could wrap this functionality of gpg, I'd really prefer not to >> and I'd rather not drop the user to a gpg prompt if I don't have to. > > This is both pretty complicated thorugh GPGME, as there is indeed not a > direct > interface. Kleopatra and GPA use the "AssuanEngine" of GPGME to connect to > the > gpg-agent's assuan interface and issue / parse commands directly through that > connection. > > You might want to take a look at GPA's implementation: > > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpa.git;a=blob;f=src/cm-openpgp.c Awesome! That's a bit more complex than I was hoping but better than calling gpg directly. Thanks for the pointer! > > Alternatively instead of wrapping gpg (and using the complicated edit > interface) you could also wrap "gpg-connect-agent" and issue commands to > scdaemon through that. That's also an option but I'll try the AssuanEngine first. Thanks, Jacob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
smartcards and GPGME
Hello all, As part of a program I'm writing this summer for GSoC, I'd like to be able to both move gpg private keys to a smartcard and generate keys on the smartcard from an application. While this can be done from gpg, it doesn't look like I can do so from GPGME or any other wrappers that exist. Have I missed something or is this simply not possible yet? While I could wrap this functionality of gpg, I'd really prefer not to and I'd rather not drop the user to a gpg prompt if I don't have to. Thanks, Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Python Bindings for GPGME
> On May 8, 2018, at 00:16, Yugesh Kothari wrote: > > Hello all, > > I'm looking to write a GUI around the existing philosophy-of-use of EasyGnuPG > (https://github.com/EasyGnuPG/egpg) as part of my GSoC project this summers. > I was therefore looking to find the best ways to wrap GnuPG from Python > scripts rather than using outputs from gpg2 binary. I see there are two > principal bindings available PyMe and PyGPGME. > > Both seem to be relatively un-maintained for the past few years now (2008 for > PyMe and 2012 for PyGPGME): > > http://pyme.sourceforge.net/ > https://launchpad.net/pygpgme > > Some of the features I'd like to be working with are: > > 1. Encrypting/Decrypting files. Decryption done using user's default keyrings. > > 2. Listing keys and encryption sub-keys. > > 3. Maintaining contacts > > 4. Generating new keys > > So, my question is - has anyone worked with Python and GPGME? Which bindings > are better in your opinion? > I’m a GSoC student as well and I asked a similar question on the pki-clean-room-devel list. The relevant part of the response I got from Debian’s GPGME maintainer is quoted below, the full message can be found here: https://alioth-lists.debian.net/pipermail/pki-clean-room-devel/Week-of-Mon-20180108/71.html “If you want to use GnuPG with python3, please use python3-gpg (for python2, use python-gpg). These packages are built and shipped as part of gpgme, which is maintained by the GnuPG developers.” I’m not sure what platform you’re developing on but the python3-gpg package in Debian corresponds to the official Python GPGME bindings which are shipped with recent versions of GPGME. Hope this helps, Jacob___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP Clean Room GSoC Mentoring
Hello all, I'm a prospective student for Debian's Google Summer of Code 2018 and I am interested in working on a project that may be of interest to those on this mailing list and that requires at least one more co-mentor to move forward. The biggest hurdle I faced when setting up my GPG key was creating and storing it offline. Many live cds like TAILS can be manipulated for this purpose, but are not designed for it and require quite a bit of space for what is otherwise a relatively small amount of information. I am looking to create a proper interface for a PGP Clean Room Live CD that walks a user through setting up a set of USB flash drives or sd cards as a raid disk, generating new GPG keys, storing them there, and then exporting subkeys either on a separate USB stick or a security key like a Yubikey. I'd also like to add the ability to do things like revoke keys or extend expiration dates for them through the application. You can see more of the ideas behind the project here: https://wiki.debian.org/SummerOfCode2018/Projects/CleanRoomForPGPKeyManagement Daniel Pocock has already agreed to be the primary mentor for this project, but he will most likely be involved in at least one other GSoC project. I've sent out a few emails in Debian but have received no reply as yet so I'm reaching out to the wider open source community. You can find the Mentor Guide here: https://google.github.io/gsocguides/mentor/ Someone with experience in python, especially python's GPGME bindings, would be much appreciated. Thanks, Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
