Bug#760102: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 28 13:05:33 UTC 2015


On Thu 2015-05-28 03:11:55 -0400, Josselin Mouette wrote:
> Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote: 
>    This proposes a workaround for GNOME keyring hijacking gpg-agent,
>    including shipping /usr/bin/gnome-keyring-unhijack-gpg-agent as an
>    interim measure, and suggesting its use if a hijack is detected.
>    (#760102 and #753163)
>
> How about fixing unstable instead of backporting what amounts to a RC
> bug to jessie? 

Josselin, which RC bug are you suggesting that i'm about to backport to
jessie?  I'm not proposing to set --use-standard-socket by default in
jessie, if that's what you're worried about.

gnome-keyring currently fails to support at least the following features
which GnuPG's gpg-agent handles:

 * S/MIME signing/decryption
 * smartcards
 * passphrases held in locked memory
 * updated s2k counts based on hardware capability.

(see: http://wiki.gnupg.org/GnomeKeyring)

So gpg will have degraded functionality if it relies on gnome-keyring as
the gpg-agent.  To avoid these problems, upstream detects whether the
agent appears to be provided by GNOME and complains about the hijacking
if it is (this check is already in jessie, fwiw, but the user has no
straightforward way of dealing with it because GNOME provides no
user-friendly mechanism to disable just this part of gnome-keyring).

If gpg is talking to gpg-agent in a graphical session, though, it needs
a graphical pinentry to be able to prompt the user.  So by default,
gnupg-agent Depends: on a disjunction of pinentry options, with
pinentry-gtk2 being highest-priority. The sensible fix for this is for
gpg-agent to Depend: on pinentry-curses alone (many fewer dependencies),
and for the graphical session to Depend: on a matching pinentry (see
https://bugs.debian.org/765406), but this concern has not been acted on
within the teams who work on desktop metapackages.

Additionally, the GnuPG packaging team has had numerous complaints about
gpg-agent's default dependency on pinentry-gtk2, because this ends up
pulling in a significant number of X11-related packages on otherwise
headless systems (see https://bugs.debian.org/753163 for one of the more
recent ones).

This is a nasty thicket of subtle interlocking bugs, and surely there's
enough blame to go around.  But i'd like to find a way to fix it, and
the proposal that is in 2.0.27-2 is my best shot so far (it would be
even better if the desktop tasks would recommend a matching pinentry).

I welcome other proposals for how to improve as many of these particular
debian use cases as possible:

 a) the default minimal package set for headless machines where admins
    might want to run mutt should not pull in any X11 libraries

 b) the ability to use gnupg with full gpg-agent functionality on
    systems running GNOME

 c) the ability to use gnome-keyring's passphrase-caching safely with
    gpg-agent

pinentry upstream (the GnuPG upstream team) is working on a
pinentry-gnome3 that should address (c) as well, but it's not even
released yet, and it seems quite unlikely that we'll get that into a
jessie point release.

So how else can we try to address any of the above problems in jessie?

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20150528/1dde5f0a/attachment-0001.sig>


More information about the pkg-gnome-maintainers mailing list