[pkg-gnupg-maint] Bug#841909: Bug#841909: /usr/bin/gpg: Configuration error over ssh

Craig Small csmall at debian.org
Tue Oct 25 11:14:35 UTC 2016 

Looks like you've hit the nail on the head there.

*$ *dpkg -l 'pinentry*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
un  pinentry       <none>       <none>       (no description available)
un  pinentry-curse <none>       <none>       (no description available)
un  pinentry-doc   <none>       <none>       (no description available)
ii  pinentry-gnome 0.9.7-6      amd64        GNOME 3 PIN or pass-phrase entry
ii  pinentry-gtk2  0.9.7-6      amd64        GTK+-2-based PIN or pass-phrase e
un  pinentry-x11   <none>       <none>       (no description available)
*csmall**@**elmo**: **~**$ *readlink -f $(which pinentry)
/usr/bin/pinentry-gnome3


I also rebuilt the pinentry-gnome3 with the patch. What happens now is I
get the ncurses pinentry screen appearing and the file is successfully
signed. So yes, for me at least your patch solves my problem. Thanks for
the quick answer!

 - Craig



On Tue, Oct 25, 2016 at 4:57 AM Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:

> Control: tags 841909 + moreinfo
> Hi Craig--
>
> On Mon 2016-10-24 07:13:25 -0400, Craig Small wrote:
> > Since the latest upgrade, I am unable to sign anything using a ssh
> > shell.
> >
> > $ gpg --sign gpg.txt
> > File 'gpg.txt.gpg' exists. Overwrite? (y/N) y
> > gpg: signing failed: Configuration error
> > gpg: signing failed: Configuration error
> >
> > There is a work-around
> > ssh to the remote system
> > killall gpg-agent
> > unset DBUS_SESSION_BUS_ADDRESS
> > gpg will now work.
> >
> > I am unsure why this environment variable causes the problem. It has
> > something to do with the gpg-agent not gpg itself.
> >
> > I tried it with two ssh sessions, one running gpg and one running gpg
> > agent. If the agent had that variable unset, it worked even if the
> > window running gpg itself had it set. The other way around it failed
> > meaning gpg-agent and not gpg itself has the problem with the
> > environment.
> >
> > This is gpg-agent with the environment vatiable set.
> >
> > gpg-agent --verbose --homedir /home/csmall/.gnupg --use-standard-socket
> --daemon /bin/bash
> > gpg-agent[28745]: WARNING: "--use-standard-socket" is an obsolete option
> - it has no effect
> > gpg-agent[28745]: listening on socket '/run/user/1000/gnupg/S.gpg-agent'
> > gpg-agent[28745]: listening on socket
> '/run/user/1000/gnupg/S.gpg-agent.rstrd'
> > gpg-agent[28745]: listening on socket
> '/run/user/1000/gnupg/S.gpg-agent.brwsr'
> > gpg-agent[28745]: listening on socket
> '/run/user/1000/gnupg/S.gpg-agent.ssh'
> > gpg-agent[28746]: gpg-agent (GnuPG) 2.1.15 started
> > $ gpg-agent[28746]: handler 0x7f347273d700 for fd 8 started
> > gpg-agent[28746]: starting a new PIN Entry
> > gpg-agent[28746]: failed to unprotect the secret key: Configuration error
> > gpg-agent[28746]: failed to read the secret key
> > gpg-agent[28746]: command 'PKSIGN' failed: Configuration error <Pinentry>
> > gpg-agent[28746]: handler 0x7f347273d700 for fd 8 terminated
> > gpg-agent[28746]: handler 0x7f3471f3c700 for fd 9 started
> > gpg-agent[28746]: handler 0x7f3471f3c700 for fd 9 terminated
>
> It sounds to me like what you're seeing is pinentry-gnome3, which knows
> to fall back to curses if DBUS_SESSION_BUS_ADDRESS is unset, but which
> fails when run with an active DBUS session but no way to prompt the
> user.
>
> I'd like to confirm this, though: what version(s) of pinentry do you
> have installed on the system in question?  what is the default pinentry?
>
>   dpkg -l 'pinentry-*'
>   readlink -f $(which pinentry)
>
> additionally, you could try adding debug-pinentry to the gpg-agent
> config, to see if there's any additional information provided.
>
> If my guess is correct and you're using pinentry-gnome3 but the system
> doesn't have gcr running or available, you might try the attached patch
> to pinentry-gnome3.  i proposed the it to upstream but there's been some
> pushback.  If you could confirm that it works for you in this context
> that'd be good to know.
>
> Alternately, try specifying pinentry-curses as your preferred pinentry
> on the remote machine, either via pinentry-program (in gpg-agent.conf)
> or via "update-alternatives --config pinentry", or by just purging all
> the graphical pinentries and leaving only pinentry-curses (if your
> machine never has a graphical environment available).
>
> let me know what you find!
>
>         --dkg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161025/7d18344e/attachment-0001.html>

More information about the pkg-gnupg-maint mailing list