[pkg-gnupg-maint] Bug#796931: Bug#796931: Another data point

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 20 18:32:19 UTC 2016 

Hi Manoj--

On Wed 2016-01-20 04:04:43 -0500, Manoj Srivastava wrote:

> I sourced the file 70gnupg-agent.sh discussed earlier int he bug
> report.

If you're running X11, i'd assume that file would have been sourced
during your session startup.

> I am still having issues -- at least, with gpg, I can actually use
> gpg; gpg2 just fails.

can you show the version numbers you're using?

dpkg -l gnupg gnupg2 gnupg-agent


>> echo $GNUPGHOME
> /home/srivasta/lib/.sec
>>echo $GPG_AGENT_INFO
>
>> echo $GPG_AGENT
>
>> gpg-agent
> gpg-agent[1725]: gpg-agent running and available

the fact that GPG_AGENT_INFO isn't set is a little odd if you've sourced
70gpg-agent.sh, although the fact that you're not using a standard
GNUPGHOME also makes me wonder what's going on here.  do you have
"use-agent" set in /home/srivastava/lib/.sec/gpg.conf?  what about in
/home/srivastava/.gnupg/gpg.conf ?

>> gpg2 -vvv --clearsign ~/.login
> gpg: keyserver option 'include-disabled' is unknown
> gpg: keyserver option 'honor-http-proxy' is unknown
> gpg: using character set 'utf-8'
> gpg: Note: signature key 9D760D4D has been revoked
> gpg: Note: signature key 840A4306 expired Wed 11 May 2011 02:33:47 PM PDT
> gpg: using PGP trust model
> gpg: key C5779A1C: accepted as trusted key
> gpg: Note: signature key 9D760D4D has been revoked
> gpg: Note: signature key 840A4306 expired Wed 11 May 2011 02:33:47 PM PDT
> gpg: using subkey 6F576472 instead of primary key C5779A1C
> gpg: writing to '/home/srivasta/.login.asc'
> gpg: signing failed: No secret key
> gpg: /home/srivasta/.login: clearsign failed: No secret key
> [1]    1767 exit 2     gpg2 -vvv --clearsign ~/.login

This response suggests that you might be using gpg2 2.1.x (it finds the
agent while GPG_AGENT_INFO is unset, without specifying
--use-standard-socket), but your secret keys have not been imported.
does /home/srivastava/lib/.sec/private-keys-v1.d/ contain the keygrip of
the secret key you need to use?

the keygrip for your signing-capable subkey 0x36BD720F6F576472 is
4AA76328759B16116F1C2F3380A3C313A1398F34 (you can find this with "gpg2
--with-keygrip --list-keys 0x36BD720F6F576472), so i'd expect there to
be a file at:

 /home/srivastava/lib/.sec/private-keys-v1.d/4AA76328759B16116F1C2F3380A3C313A1398F34.key

If that doesn't exist, and you're using gpg 2.1.x, can you try importing
your gpgv1 secret keyring again and then retrying your command?

   gpg2 --import < /home/srivastava/lib/.sec/secring.gpg


If this solves things for you, i'd still like to understand why the
secret keyring didn't get imported automatically the first time you used
gpg 2.1.x.  Can you tell me any history of how and when (what versions?)
you first moved to 2.1.x ?

>> gpg -vvv --clearsign ~/.login
> gpg: using character set `utf-8'
> gpg: using PGP trust model
> gpg: key C5779A1C: accepted as trusted key
> gpg: can't handle public key algorithm 22
> gpg: can't handle public key algorithm 19
> gpg: error checking usability status of C7261095
> gpg: key C7261095: secret key without public key - skipped
> gpg: NOTE: signature key 840A4306 expired Wed 11 May 2011 02:33:47 PM PDT
> gpg: NOTE: signature key 840A4306 expired Wed 11 May 2011 02:33:47 PM PDT
> gpg: no secret subkey for public subkey 840A4306 - ignoring
> gpg: using subkey 6F576472 instead of primary key C5779A1C
>
> You need a passphrase to unlock the secret key for
> user: "Manoj Srivastava <srivasta at golden-gryphon.com>"
> gpg: NOTE: signature key 840A4306 expired Wed 11 May 2011 02:33:47 PM PDT
> gpg: using subkey 6F576472 instead of primary key C5779A1C
> 2048-bit RSA key, ID 6F576472, created 2009-07-23 (main key ID C5779A1C)
>
> gpg: gpg-agent is not available in this session
> You need a passphrase to unlock the secret key for
> user: "Manoj Srivastava <srivasta at golden-gryphon.com>"
> 2048-bit RSA key, ID 6F576472, created 2009-07-23 (main key ID C5779A1C)
>
> gpg: writing to `/home/srivasta/.login.asc'
> gpg: RSA/SHA512 signature from: "6F576472 Manoj Srivastava <srivasta at golden-gryphon.com>"

This shows you not using the gpg-agent at all.

>  ps auwwx | egrep '[g]pg-agent'
> srivasta 24911  0.0  0.0 165000  2180 ?        SNs  00:39   0:00 gpg-agent --daemon --enable-ssh-support --allow-preset-passphrase --no-allow-external-cache

OK, so the agent is running, but it's not clear what started it.  I
suspect it's likely that it was auto-launched by gpg 2.1.x.

Regards,

     --dkg

More information about the pkg-gnupg-maint mailing list