[pkg-gnupg-maint] Bug#790737: gpg agent workaround

A Mennucc1 mennucc1 at debian.org
Sat Jul 4 13:05:46 UTC 2015 

dear all,

I had some problems using GPA

I did some testing re: this bug

It seems that gpa really needs the gpg agent up and running. W/o agent 
it reports the error:
    "THE GPGME library returned and unexpected error at keytable.c:150.
The error was: unknown option"
and is unusable, and it hangs and never exists.

Moreover gpa does not work with the fake agent
    "THE GPGME library returned and unexpected error at keytable.c:150.
The error was: unsupported certificate"

I have prepared a workaround . TL;DR jump to section 'Summarizing'



Let me first explain a few technical thingies, so that everybody can
understand the problem and its subtleties

-1------ the gpg agent

To use the gpg-agent , the program gpg needs to know where to find it.
To this end, the location of the agent is saved in the environment
variable GPG_AGENT_INFO

There are two ways to start the agent

-1a--- global  gpg-agent for X11 session

If you add the string   use-agent  to either  ~/.gnupg/gpg.conf or 
~/.gnupg/options, then a global gpg-agent will be started for the whole
X session. This is done by the script file 
/etc/X11/Xsession.d/90gpg-agent  . When starting the agent , the env
variable for this agent is also saved in the file 
~/.gnupg/gpg-agent-info-$(hostname)

(If you add "use-agent" right now, you need to log out and login again)

-1b------ local  gpg-agent for terminal

open a terminal and run the command
# eval $(gpg-agent --daemon)

this will start a gpg-agent, and set the env variable

any further command you issue in this terminal (e.g. gpa) will use this
agent

this is though inconvenient since other terminals will not see this same
agent

-2-------  the gnome-keyring

If the gnome-keyring is installed, then it will overwrite the
GPG_AGENT_INFO variable, and propose itself as gpg-agent . Unfortunately
gpa is not compatible.  So let's work around this.

-2a---- remove gnome-keyring

You may remove the package gnome-keyring  and reboot. Problem is, the
network-manager-applet uses gnome-keyring to store and to ask for WIFI
passwords. If you remove it, next time you will try to connect to a new
WIFI, it will all fail silently.

-2b--- recover global agent

If you are running the global  gpg-agent for X11 session, then you can
recover this mess as follows

open a terminal and run the commands

# source   ~/.gnupg/gpg-agent-info-$(hostname)
# export GPG_AGENT_INFO

this will recover the connection to the global agent

any further command you issue in this terminal (e.g. gpa) will use the
global agent

this though will not let you use 'gpa' from the main application menu,
so I prepared a automatic method, see sec 4

-2c--- use a local agent

just follow instructions at point 1b before.

--4------------------ Summarizing

This is a workaround that will solve the problem for good.

For normal users, do this:

save the attached file gpa.mine as /tmp/gpa.mine , and

# sudo dpkg-divert --local --rename --add /usr/bin/gpa
# sudo cp /tmp/gpa.mine /usr/bin/gpa
# sudo chown root.root /usr/bin/gpa
# sudo chmod 0755 /usr/bin/gpa


So I suggest to the maintainer to wrap gpa into a shell script,
imitating the above .

After doing the above  then gpa works OK in all situations, and you can
keep gnome-keyring installed

that's all folks

    a.

-------------- next part --------------
#!/bin/sh

: ${GNUPGHOME=$HOME/.gnupg}

GPGAGENT=/usr/bin/gpg-agent
PID_FILE="$GNUPGHOME/gpg-agent-info-$(hostname)"


warn () {
    echo "gpa warning: $1"  1>&2
    if test -x /usr/bin/zenity ; then
	zenity --warning --text="gpa warning: $1" &
    fi
    }

if ! test -x $GPGAGENT ; then
    
    warn "gpg-agent not installed, gpa will not work correctly"

else
    
    ## It would be nice to warn people, but let's omit this
    #if test "${GPG_AGENT_INFO}" = "" && ! grep -qs '^[[:space:]]*use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options" ; then
    #	    warn "gpg-agent is not enabled globally, you may want to add 'use-agent' to $GNUPGHOME/gpg.conf 
    # fi

    
    # the  GPG_AGENT_INFO  may point to the dreaded gnome-keyring
    case ${GPG_AGENT_INFO} in
    # this is the agent set up by gnome-keyring, and is not compatible with gpg
	/run/user/*/keyring/gpg*  |  ${XDG_RUNTIME_DIR}/keyring/gpg* )
	    warn "overriding gnome-keyring fake gpg agent " ; unset GPG_AGENT_INFO ;;
    esac

    # if no env variable, try to recover the global one
    if test "${GPG_AGENT_INFO}" = "" && test -f ${PID_FILE} ; then
	. "${PID_FILE}"
	export GPG_AGENT_INFO
    fi

   # check if the above informations are not stale
   if ! $GPGAGENT 1>/dev/null  2>/dev/null; then
       $GPGAGENT --daemon --sh --write-env-file=${PID_FILE}
       . "${PID_FILE}"
       export GPG_AGENT_INFO
   fi
fi


exec /usr/bin/gpa.distrib "$@"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20150704/5ae4b69d/attachment.sig>

More information about the pkg-gnupg-maint mailing list