[pkg-gnupg-maint] Bug#851462: Bug#851462: #851462 gpg-agent: a gpg-agent is already running - not starting a new one
Thomas Dickey
dickey at his.com
Thu Apr 27 08:28:35 UTC 2017
On Wed, Apr 26, 2017 at 07:28:56PM -0700, Daniel Kahn Gillmor wrote:
> Hi Thomas--
>
> On Tue 2017-04-25 21:37:46 -0400, Thomas Dickey wrote:
> > Referring to the manual page:
> >
> > gpg-agent --daemon --enable-ssh-support \
>
> The above line doesn't appear in the gpg-agent manual page, afaict. In
It certainly was in the version provided when I wrote the script.
(The most recent manual page has removed that information, trimming
about a third of the manual).
> a modern version of gpg-agent, ssh support is always enabled.
>
> The OpenSSH Agent protocol is always enabled
>
> whether you decide to use it for ssh-agent or whether you decide to use
> a different ssh-agent implementation is up to you, and you can make that
> decision explicit by deciding how you'll set the $SSH_AUTH_SOCK
> environment variable.
It didn't connect to most of the machines I use. I'm not going to consider
using the feature unless it works with all machines.
> > I tried using the ssh-support option, have never seen it work reliably.
> > After some experimentation a few years ago, I came up with this working
> > solution.
>
> if it never worked reliably, and you found some complex workaround, it's
> entirely possible that upstream fixed the unreliability and was unaware
> of whatever workaround you've chosen to do. I'm still having a hard
> time following it myself.
>
> Perhaps using it as currently expected by upstream (and removing complex
> workarounds) will be the most fruitful result for you.
no - if it's not interoperable with the different machines I use,
it is of no use to me. If gpgconf exists only on a few machines,
it's not useful (at best, it would be a choice provided via a
script, but if the script cannot be made reliable because the program
does not return useful error-codes, then that wouldn't be useful).
> > The updates for gpg-agent in January broke my solution (and the
> > explanation of the "new" behavior sounds as though it's been "improved"
> > to only work in a desktop session - if that is incorrect, you should
> > provide that information clearly in the README.Debian file - as written
> > it does not address this bug report:
>
> you can use gpg-agent without needing a desktop session, but if you need
> interactive prompting, a desktop session is recommended. desktops are
> good at that kind of interactivity :)
Combining "desktop" and "good" in the same sentence won't lead to
a productive discussion. Don't go there.
> > leaves a lot unsaid. In my case, there was no desktop session.
> > (The package still depends upon either pinentry-curses or pinentry).
>
> ok, so you're running from a network console? from a vt? some other
> environment? the more you can help me understand your setup, the better
> i'll be able to help.
You should read the mail. I am using ssh to connect to a machine where
I want to run gpg-agent. With the recent change, I can no longer use
gpg-agent. With Debian for instance, I use it for signing packages.
> > hmm - no: I overlooked that. It's been a couple of years since I put these
> > together. The "killall" in "wrapssh" is redundant; I'm killing it in
> > "presign" so that I can force it to use pinentry-curses
>
> if your goal is to force the use of pinentry-curses, and you're on a
> machine without a desktop environment, you should either ensure that
> /usr/bin/pinentry points to pinentry-curses, or you should put
> "pinentry-program /usr/bin/pinentry-curses" into ~/.gnupg/gpg-agent.conf
I'll investigate that (I recall that aspect not working on some systems,
which insisted on using the X version of pinentry, but don't have the
list in my memory).
> > #!/bin/sh
> > # $Id: presign,v 1.2 2014/09/01 14:54:50 tom Exp $
> > # vi:ts=4
> > # Initialize a subshell which will run gpg-agent, sets a variable that we can
> > # use in the initialization to force an gpg-sign prompt.
>
> You should *not* expect to run multiple concurrent gpg-agents on the
> same GnuPG home directory. That is explicitly not supported by
> upstream.
>
> > ... and Debian/testing isn't the only system that I use it on.
>
> I'm sorry, but i can't support arbitrary scripts that run on arbitrary
> operating systems. My hands are pretty full with supporting GnuPG on
> debian :/
Likewise, I cannot make Debian a priority. It has to cooperate with
other development.
> > Back to the bug report: what I'm reading is that gpg-agent can no longer
> > be used as documented.
>
> I still don't see this, sorry. Can you try to produce the simplest
> possible example that reproduces the problem?
>
> --dkg
I'll take a look to add information.
--
Thomas E. Dickey <dickey at invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170427/d7b9e853/attachment.sig>
More information about the pkg-gnupg-maint
mailing list