I've been looking into this for the last couple of days. With the new gpg versions the gpg command refers operations needing private keys to gpg-agent, a separate process it starts when needed.
When gpg-agent needs to ask the user for a key's passphrase it starts up a third independent process called pinentry. pinentry is actually one of 5 related programs, selected in Ubuntu with the update-alternatives mechanism. The default for Ubuntu is pinentry-gnome3. It provides the prettiest graphic dialog box on your computer's graphics screen. Unfortunately it does this (successfully or not) even if you are using gpg2 from an ssh terminal session (or from a virtual console). pinentry-gnome3 uses a facility called "Gcr System Prompter". This can fail in one of at least 4 ways: 1. You may be ssh'ing from a remote location and therefore you won't be able to see the dialog box on you graphics display and you have no way to provide the passphrase. 2. You may not be signed on a graphics session. 3. You may be signed on but the session may be locked. 4. You may be signed on to a graphics session but left the computer in a virtual console. In at least one of these pinentry-gnome waits about 25 seconds to try put up the dialog box and then falls back to using a curses text box. In testing the no graphics sessions case I think I always got an immediate fallback to the curses text box. Both are these are probably the best result you can wish for if you are remote from the target computer. In the other cases the dialog box goes up until there is a timeout, (or forever). ------------------------ My suggestion is for desktop computer users who use ssh with gpg or other passphrase protected keys to use pinentry-gtk-2 or pinentry-curses instead. You can use 'update-alternatives --display pinentry' to find out which is the default for your system. You use 'sudo update-alternatives --config pinentry to pick out what you want from a menu. The pinentry program can also be changed in the ~/.gnupg/gpg-agent.conf file. To do this add a line such as: pinentry-program /usr/bin/pinentry-curses My alternate suggestion is to use gpg's --pinentry-mode loopback" option when using a command that will require a passphrase. ---------------------- While the GPG_TTY environment variable is necessary for ssh's use of gpg-agent, it isn't needed when gpg uses it--it informs gpg-agent directly of the name of the tty that is controlling gpg. I think my comment above in #4 about GPG_TTY is irrelevant for this bug report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1775923 Title: gpg can't access secret keys when logged in via ssh instead of desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1775923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
