Mailing List Archive

On Fri, 5 Mar 2021 10:16, Klaus Ethgen said:

> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.

I am also using Devuan without problems. Did you used

touch /var/lib/elogind/USERNAME

to avoid elogin stealing the socket directory?

> Anyone an idea, why it is not working correctly and why the agent is
> refusing to accept the DISPLAY setting when started via pam?

I have no idea. I don't know whether this is of any help, but you can

gpg-connect-agent 'getinfo std_session_env' /bye

to show the environment of a new session. If you run that in the
context of PAM it might give a hint. Or use debug-pinetry in
gpg-agent.conf which should also show the envars.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Hi Werner,

Am Fr den 5. M?r 2021 um 15:59 schrieb Werner Koch:
> On Fri, 5 Mar 2021 10:16, Klaus Ethgen said:
>
> > While this setup work well on my Devuan machine, I have some troubles on
> > the Gentoo one, that I don't get solved.
>
> I am also using Devuan without problems. Did you used

Devuan isn't the problem, it is Gentoo...

> touch /var/lib/elogind/USERNAME
>
> to avoid elogin stealing the socket directory?

I do not use elogind or any other logind. I do not like that concept and
limit the amount of bloated p?tterware on my system(s) to the absolute
minimum.

However, if it helps, there is a bug in gentoo ([0]) that is preventing
the session registering. But I have the mentioned workaround in place.

Gru?
Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=716596
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote:
> I have a my setup depending strongly on gpg-agent. For this, I preseed
> some passphrases via pam_gnupg.
>
> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.
>
> When the agent is started when I login via xdm (wdm), the agent does
> never use X for displaying the pinentry. Even when `updatestartuptty` is
> issued afterwards. As I use gpg-card even not everytime from the
> console, I need that to display a X pinentry (currently the qt one, gtk
> was preferred with gtk2 but the gtk3 one is horrible.)

The only thing I can think of to check is: have you selected
pinentry-qt5 using 'eselect'?

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

Hi,

Am Fr den 5. M?r 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users:
> The only thing I can think of to check is: have you selected
> pinentry-qt5 using 'eselect'?

Sure. That is all fine.
~> eselect pinentry list
Available pinentry binary implementations:
[1] pinentry-gnome3
[2] pinentry-qt5 *
[3] pinentry-curses

From Werner Koch, I enabled pinentry-debug, here are the results:
2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started
2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache
2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry
2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key
2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry
2021-03-05 20:03:53 gpg-agent[27031] no device present
2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry
2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry

The strange thing is, that /usr/bin/pinentry is absolutely correct:
~> ls -l /usr/bin/pinentry
lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5
~> ls -lL /usr/bin/pinentry
-rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry

The Environment looks good:
~> gpg-connect-agent 'getinfo std_session_env' /bye
D GPG_TTY=/dev/pts/2
D TERM=xterm-256color
D DISPLAY=localhost:10.0
OK

And when logged from .xsession:
D DISPLAY=:0
OK

use flags:
~> equery u pinentry
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for app-crypt/pinentry-1.1.0-r4:
U I
+ + caps : Use Linux capabilities library to control privilege
- - emacs : Add support for GNU Emacs
- - gnome-keyring : Enable support for storing passwords via gnome-keyring
+ + gtk : Add support for x11-libs/gtk+ (The GIMP Toolkit)
+ + ncurses : Add ncurses support (console display library)
+ + qt5 : Add support for the Qt 5 application and UI framework

~> equery u app-crypt/gnupg
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for app-crypt/gnupg-2.2.25:
U I
+ + bzip2 : Use the bzlib compression library
- - doc : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead
of globally
- - ldap : Add LDAP support (Lightweight Directory Access Protocol)
+ + nls : Add Native Language Support (using gettext - GNU locale utilities)
+ + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants
- - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to
use scdaemon with gnupg and for example NitroKey.
+ + smartcard : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try
app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon.
+ + ssl : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
+ + tofu : Enable support for Trust on First use trust model; requires dev-db/sqlite.
+ + tools : Install extra tools (including gpgsplit and gpg-zip).
+ + usb : Build direct CCID access for scdaemon; requires dev-libs/libusb.
- - user-socket : try a socket directory which is not removed by init manager at session end

So, the conclusion is:
- Environment seems to be fine
- pinentry is correct (and working as it work when I kill and restart
the gpg-agent in xsession)
- The error logged is strange for me, I have no idea what went wrong

Gru?
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Some further debuging of the capabilities:

pinentry(-qt) has no file capabilities, the process of gpg-agent has the
following:
~> getpcaps 27031
27031: cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i

And in strace I find the following:
28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)

I get the same errors when I set the capabilities to cap_ipc_lock=ep.

So it seems to be something with capabilities.. And looking at the
binary of devuan, it is not linked against libcap!

I will recompile pinentry without caps use flag. But I am curious why it
has troubles with libcap.

Gru?
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

That was a dead end.

Even without libcap linkage, the pinentry does not work.

Also the process capabilities of a manual started gpg-agent are the
same.

Gru?
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

I created a bug ([0]) for gentoo.

Gru?
Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=774468
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Hi!

I am not sure whether you already di this: Use a script like

--8<---------------cut here---------------start------------->8---
#!/bin/sh

MYPINENTRY="/foo/bar/pinentry-gtk-2"

locale >/tmp/pinentry.err
set >>/tmp/pinentry.err
exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY -d "$@" 2>>/tmp/pinentry.err
--8<---------------cut here---------------end--------------->8---

as pinetry replacement to get a better insight into the preblem.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Am Sa den 6. M?r 2021 um 16:32 schrieb Klaus Ethgen:
> [0] https://bugs.gentoo.org/show_bug.cgi?id=774468

Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg
in their software stack and so they say, that it is a usecase that is
not supportet by them.

It is a bit short thought. Their pinentry has a bug, that is triggered
this way and they don't care.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Hi,

I have an update for this issue.

It seems that I have the problem all time I use the QT pinentry. The
gtk2 pinentry seems to be fine and with the switch to QT one, the
problem appears. Now I have the problem on debian and gentoo.

Even more, a `gpg-connect-agent updatestartuptty /bye` over ssh
connection does not work with pinentry-qt.

Unfortunately, the gtk3 version of pinentry has some toxic dependencies
that I never want to have.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated:
>Unfortunately, the gtk3 version of pinentry has some toxic dependencies
>that I never want to have.

Would you be so kind as to list, and possibly explain, those toxic
dependencies?

--
Jerry

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert:
> On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated:
> >Unfortunately, the gtk3 version of pinentry has some toxic dependencies
> >that I never want to have.
>
> Would you be so kind as to list, and possibly explain, those toxic
> dependencies?

At least some time ago, there was a dependencie to the full gnome world
including gnome-keyring and systemd. I did not test it anymore since
then.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert:
> On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated:
> >Unfortunately, the gtk3 version of pinentry has some toxic dependencies
> >that I never want to have.
>
> Would you be so kind as to list, and possibly explain, those toxic
> dependencies?

I just tested it right away, and there is no gtk3 build anymore in
pinentry, it is only the gnome3 pinentry that can be build. And at least
on gentoo, the pinentry-gnome3 is not working with X anymore.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

On Thu, 26 Aug 2021 16:23, Klaus Ethgen said:

> It seems that I have the problem all time I use the QT pinentry. The
> gtk2 pinentry seems to be fine and with the switch to QT one, the

Did you tried pinentry 1.2.0 which we released last week?

FWIW, I am using xfce and had some problem with icons and thus also
pinentry in the past. The solution was to set

QT_QPA_PLATFORMTHEME=qt5ct

in the environment and use one of the latest gnupg versons (2.2.30,
2.3.2). But Pinentry 1.2.0 should also work if icons are not accessible
etc.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.