[pkg-gnupg-maint] Bug#836772: Bug#836772: gnupg: unable to sign anyone's keys
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 6 07:17:33 UTC 2016
Control: retitle 836772 pinentry fails when used from dedicated account via su -
Hi Ramakrishnan--
On Tue 2016-09-06 02:42:24 -0400, Ramakrishnan Muthukrishnan wrote:
> I am doing this on a GNOME terminal within an X11 session (running
> GNOME3), but my gpg credentials are in another account on this machine. I type 'su -
> <account>' and am doing it inside that account.
hm, i understand why you want this kind of user account isolation. I'll
call the account that runs the graphical session your "Main Account" and
i'll call the account that controls your keyring your "Keyring Account".
This is is an unusual setup, and might not be well-supported with the
particular configuration you're using.
Was your "grep pinentry ~/.gnupg/*.conf" done from within the Keyring
Account, or from the Main Account?
What if you put "pinentry-program /usr/bin/pinentry-curses" into
~/.gnupg/gpg-agent.conf in the Keyring Account, and from the Keyring
Account do:
gpgconf --reload gpg-agent
and try again? That will make you try to use pinentry-curses at least,
rather than trying to have the Keyring Account talk to your GNOME
session, which seems unlikely to work.
I'm concerned that this still won't work, though, because the TTY for
the Gnome Terminal is owned by the Main Account, but the Keyring Account
is what will try to talk to it.
If it still fails, what happens when you expand the permissions on your
terminal before doing an su ? For example, if your Keyring Account is
named "keyring-account" and you have the acl package installed, you
might try a wrapper like this:
#!/bin/sh
setfacl -m u:keyring-account:rw $(tty)
su - keyring-account
setfacl -x u:keyring-account $(tty)
> I have also set the following in the .profile:
>
> GPG_TTY=$(tty)
> export GPG_TTY
I think this is in the Keyring Account's .profile -- is that right?
this makes me think you prefer to have the agent prompt the user on the
terminal, rather than through your graphical session, which is why i'm
proposing the above steps.
Can you try them out and report back if they work for you?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160906/1649b778/attachment.sig>
More information about the pkg-gnupg-maint
mailing list