Public bug reported: Hi everybody,
on a fresh user account (Ubuntu 11.10 x86_64), gpgsm fails to validate certificates because gnome-keyring overwrites the GPG_AGENT_INFO initially set by gpg-agent (started through /etc/X11/Xsession.d/90gpg- agent with patch from https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/743268 already applied by hand). test@nic-desktop:~$ echo $GPG_AGENT_INFO /tmp/keyring-EhHy5E/gpg:0:1 test@nic-desktop:~$ sudo lsof /tmp/keyring-EhHy5E/gpg Password: lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/test/.gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gnome-key 11834 test 15u unix 0xffff88007c276080 0t0 27229833 /tmp/keyring-EhHy5E/gpg test@nic-desktop:~$ LC_ALL=C gpgsm -k --with-validation > gpgsm_gnome-keyring.out 2>&1 test@nic-desktop:~$ . .gnupg/gpg-agent-info-nic-desktop test@nic-desktop:~$ echo $GPG_AGENT_INFO/tmp/gpg-OqCLX5/S.gpg-agent:11883:1 test@nic-desktop:~$ sudo lsof /tmp/gpg-OqCLX5/S.gpg-agent lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/test/.gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gpg-agent 11883 test 5u unix 0xffff8800b8534d00 0t0 27228418 /tmp/gpg-OqCLX5/S.gpg-agent test@nic-desktop:~$ LC_ALL=C gpgsm -k --with-validation > gpgsm_gpg-agent.out 2>&1 test@nic-desktop:~$ (see attached tar for the output files) Unfortunately, the agent built into the gnome-keyring doesn't seem to support all the certificate types/operations/whatever needed by gpgsm cert validation. I verfified this (actually tracked it down) with a debugger: gnupg-2.0.18/sm/certchain.c:1308 istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL, rootca_flags); always returns GPG_ERR_UNSUPPORTED_CERT I don't know if it is possible to disable gnome-keyring's gpg-agent part. I chose to assign this bugreport to gpgsm instead of to gnome-keyring since gnome-keyring is kind of default on an Ubuntu system and I believe that an 'apt-get install gpgsm' should just work. [nic] ~ % lsb_release -rd Description: Ubuntu 11.10 Release: 11.10 [nic] ~ % LC_ALL=C apt-cache policy gpgsm gpgsm: Installed: 2.0.17-2ubuntu2 Candidate: 2.0.17-2ubuntu2 Version table: *** 2.0.17-2ubuntu2 0 500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages 100 /var/lib/dpkg/status [nic] ~ % LC_ALL=C apt-cache policy gnupg2 gnupg2: Installed: 2.0.17-2ubuntu2 Candidate: 2.0.17-2ubuntu2 Version table: *** 2.0.17-2ubuntu2 0 500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages 100 /var/lib/dpkg/status [nic] ~ % LC_ALL=C apt-cache policy gnupg-agent gnupg-agent: Installed: 2.0.17-2ubuntu2 Candidate: 2.0.17-2ubuntu2 Version table: *** 2.0.17-2ubuntu2 0 500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages 100 /var/lib/dpkg/status [nic] ~ % LC_ALL=C apt-cache policy gnupg gnupg: Installed: 1.4.11-3ubuntu1 Candidate: 1.4.11-3ubuntu1 Version table: *** 1.4.11-3ubuntu1 0 500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages 100 /var/lib/dpkg/status [nic] ~ % This system had been upgraded to oneiric from natty once. Let me know if you need some more information. Best, Nicolai ** Affects: gnupg2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/952094 Title: gpgsm chain validation not working when gnome-keyring is running To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/952094/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs