[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 16 17:23:45 UTC 2017 

On Thu 2017-03-16 12:56:35 -0400, Micha Borrmann wrote:
> These lines are from /lib/cryptsetup/scripts/decrypt_gnupg_sc
>
>         echo "Performing GPG key decryption ..." >&2
>         ls -l /dev/tty >&2
>         ls -l /dev/console >&2
>         /usr/bin/gpg2 --card-status >&2
>         if ! /lib/cryptsetup/askpass \
>                 "Enter smartcard PIN or passphrase for key $1: " | \
>                 /usr/bin/gpg2 --quiet --batch --homedir "$(dirname $1)" \
>                 --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt $1; then
>                 return 1
>         fi
>
> Booting my machine, I've seen the following
>
> #####
> Performing GPG key decryption ...
> crw-rw-rw-	1 0	0		5,	0 Mar 16 16:47 /dev/tty
> crw-------	1 0	0		5,	1 Mar 16 16:47 /dev/console
> gpg: cannot open /dev/tty': No such device or address
> Reader ...........: 058F:9540:X:0
> Application ID ...: D2760001240102010005000045EC0000
> Version ..........: 2.1
> Manufacturer .....: ZeitControl
> Serial number ....: 000045EC
> Name of cardholder: Micha Borrmann
> Language prefs ...: de
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: not forced
> Key attributes ...: rsa4096 rsa2048 rsa4096
> Max. PIN lengths .: 32 32 32
> PIN retry counter : 3 0 3
> Signature counter : 481
> Signature key ....: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876
>       created ....: 2016-02-17 15:26:16
> Encryption key....: ADB2 069E 7A1A 6558 2966  47A1 4E81 F234 C254 AF58
>       created ....: 2016-02-17 15:26:16
> Authentication key: EEE0 138F C87E 164B E6D8  3ED9 3768 D170 FA56 C0D6
>       created ....: 2016-02-17 15:26:16
> General key info..: Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg:
> #####
>
> Why can gpg not open /dev/tty ? This may be the problem.

I agree that it seems like it ought to be able to open /dev/tty given
the permissions shown above, but it doesn't look like that is the
problem, since it is emitted before --card-status, and --card-status
explicitly succeeds (though i don't know why "General key info..:"
appears to have produced no data).

I still don't see the explicit problem, though.

it looks to me like /lib/cryptsetup/askpass is prompting as expected,
but i see no error message from the gpg part of the pipeline.

have you tried this outside of the initramfs?  does it work?  this
pipeline looks like it expects to produce the decrypted key material to
stdout -- is that intended?

     --dkg

More information about the pkg-gnupg-maint mailing list