[pkg-gnupg-maint] Bug#834399: Bug#834399: Bug#834399: gnupg: gnupg2-bases gpg breaks Gajim

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Aug 18 14:36:54 UTC 2016 

Control: reassign 834399 gajim
Control: retitle 834399 Gajim GnuPG improvements
Control: tags 834399 + moreinfo
Control: affects 834399 + gnupg

Hi Thorsten--

Thanks for the report, and for pointing out improvements that need to be
made in Gajim's handling of OpenPGP.  I'm documenting different problems
with Gajim's use of GnuPG in this e-mail, some of which are related to
using GnuPG version 2.1 itself, and others which appear to be common to
the use of any version of GnuPG.

I've tried to replicate your use case, and i'm assuming that you've
configured some account on gajim to sign its presence indication with
OpenPGP.

To replicate it, i did:

 * created a new user account
 * ran gajim on it, to connect to a new xmpp account.
 * choose Edit»Accounts»select account»Personal Information»Choose Key

This all worked fine -- i was able to select a key from my public
keyring.

I note here that the key selection dialog box has a "Key ID" column.
This is not a good idea -- we shouldn't use key IDs anywhere.

If gajim wants to provide a way to distinguish between keys for users
who have multiple keys with the same exact User ID, you could add a "date
created" column, which a normal user would be able to understand.

for more details on the rationale for this, see:
https://www.debian-administration.org/users/dkg/weblog/105

There is also a checkbox there labeled "Use GPG Agent", with tooltip
text that says "If checked, Gajim will get the password from a GPG agent
like Seahorse".  It's not clear which password this refers to -- the
password that protects the OpenPGP key, the password for some specific
XMPP account, or something else.

If it's only talking about a passphrase for OpenPGP key material, then
when gpg is provided on the system by branch 2.1 or later (this can be
tested with "gpg --version", for example), this checkbox should probably
not be offered (and it should always be considered to be checked).

If i have that box checked, then when i try to log back in, i get a
dialog box with this message:


> Your passphrase is incorrect
> ----------------------------
> You configured Gajim to use OpenPGP agent, but there is no OpenPGP agent running or it returned a wrong passphrase.
> You are currently connected without your OpenPGP key.

This message is wrong, because gpg-agent is indeed running.


looking in the source for gajim, i see this associated with the
following things:

 function handle_event_bad_gpg_passphrase
 event bad-gpg-passphrase
 class BadGPGPassphraseEvent

it appears to be generated in this case by _send_first_presence, which
deals with a failed initial attempt to sign the initial presence
message.

The initial attempt appears to fail because of an exception shown on
stderr:

Exception in thread Thread-12:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/share/gajim/src/common/gnupg.py", line 772, in _read_response
    result.handle_status(keyword, value)
  File "/usr/share/gajim/src/common/gnupg.py", line 628, in handle_status
    raise ValueError("Unknown status message: %r" % key)
ValueError: Unknown status message: u'KEY_CONSIDERED'


The list of status around line 612 of src/common/gnupg.py  (in
handle_status()) isn't complete.

I also noticed that under Edit»Accounts»Local»Personal Information in
the "OpenPGP" header, it says:

   OpenPGP is not usable on this computer

This is wrong, since OpenPGP is clearly available for this account.

So: please improve gajim's support for OpenPGP!  The simplest way to do
this for the 2.1 transition is probably just to make gajim Depend: gnupg
(>= 2.1), strip out the checkboxes for gpg-agent, and assume that gajim
will never directly handle any passphrases for GnuPG.  Fixing the key
selection dialog and clarifying the rationale for sending PGP-signed
statuses would also be a bonus.

Thorsten, i also noticed from your terminal transcript:

>  gpg: WARNING: server 'gpg-agent' is older than us (2.1.11 < 2.1.14)

This is surprising to me, since gnupg 2.1.14-5 Depends: Depends:
gnupg-agent (= 2.1.14-5).  can you clarify this?

Regards,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160818/2eca93e7/attachment.sig>

More information about the pkg-gnupg-maint mailing list