[pkg-gnupg-maint] Bug#836772: Bug#836772: gnupg: unable to sign anyone's keys

Ramakrishnan Muthukrishnan rkrishnan at debian.org
Tue Sep 6 09:12:07 UTC 2016 

Hi Dan--

On Tue, Sep 6, 2016, at 12:47 PM, Daniel Kahn Gillmor wrote:
> 
> On Tue 2016-09-06 02:42:24 -0400, Ramakrishnan Muthukrishnan wrote:
> > I am doing this on a GNOME terminal within an X11 session (running
> > GNOME3), but my gpg credentials are in another account on this machine. I type 'su -
> > <account>' and am doing it inside that account.
> 
> hm, i understand why you want this kind of user account isolation.  I'll
> call the account that runs the graphical session your "Main Account" and
> i'll call the account that controls your keyring your "Keyring Account".
> 
> This is is an unusual setup, and might not be well-supported with the
> particular configuration you're using.
> 
> Was your "grep pinentry ~/.gnupg/*.conf" done from within the Keyring
> Account, or from the Main Account?

I checked it again now. That was from the Keyring account.

> What if you put "pinentry-program /usr/bin/pinentry-curses" into
> ~/.gnupg/gpg-agent.conf in the Keyring Account, and from the Keyring
> Account do:
> 
>     gpgconf --reload gpg-agent
> 
> and try again?  That will make you try to use pinentry-curses at least,

I just tried that and it is giving me the same result as before --
permission denied printed twice.

I also tried changing the pinentry program via update-alternatives to
point to the ncurses version. That didn't help too. The failure message
that is printed twice is this: 

  "gpg: signing failed: Permission denied".

> rather than trying to have the Keyring Account talk to your GNOME
> session, which seems unlikely to work.
> 
> I'm concerned that this still won't work, though, because the TTY for
> the Gnome Terminal is owned by the Main Account, but the Keyring Account
> is what will try to talk to it.
> 
> If it still fails, what happens when you expand the permissions on your
> terminal before doing an su ?  For example, if your Keyring Account is
> named "keyring-account" and you have the acl package installed, you
> might try a wrapper like this:
> 
>     #!/bin/sh
>     setfacl -m u:keyring-account:rw $(tty)
>     su - keyring-account
>     setfacl -x u:keyring-account $(tty)

Ok, I tried that. The first setfacl command is returning an error: 

  "setfacl: /dev/pts/1: Operation not supported"

After logging in, it had the same behaviour as before, failing with
Permission denied message. I am guessing the setfacl failed and hence it
didn't have any effect.

> > I have also set the following in the .profile:
> >
> > GPG_TTY=$(tty)
> > export GPG_TTY
> 
> I think this is in the Keyring Account's .profile -- is that right?

Yes, that's right.

> this makes me think you prefer to have the agent prompt the user on the
> terminal, rather than through your graphical session, which is why i'm
> proposing the above steps.
> 
> Can you try them out and report back if they work for you?

I just tried logging into the machine from the terminal (with the
pinentry-program set to the ncurses version setup in the conf file) and
that worked perfectly. So, this "bug" is not blocking me from signing
the keys.

Thanks a lot.

--
  Ramakrishnan

More information about the pkg-gnupg-maint mailing list