[pkg-gnupg-maint] Bug#568375: Bug#568375: gnupg-agent: does not work with `git tag -s`

Luca Capello luca at pca.it
Mon Feb 13 22:13:07 UTC 2017 

Hi there,

On Sun, 12 Feb 2017 18:47:15 -0500, Daniel Kahn Gillmor wrote:
> On Sun 2017-02-12 16:52:29 -0500, Luca Capello wrote:
> > Actually, even worse, commit does not work with gnupg2_2.1.11-7:
> >
> >   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822974#35>
> 
> I'm surprised to see a report about 2.1.11-7 on 2017-02-12 when that
> package was superceded 10 days ago by 2.1.18-3.  Is there a reason that
> you're using 2.1.11-7, which is no longer in debian?

Yes, AFAIK it is the only way to have GnuPG 2.1 (to have gpg-agent
forwarding) on jessie, as I explained in the other bug report I linked.
This is also why I am working on the jessie-backports ;-)

> > What is funny is that if I plug my YubiKey 4 (basically an OpenPGP
> > smartcard) everything (commit + tag) is fine (tested on 2 different
> > jessie).
> 
> If this report is strictly about the yubikey smartcard, we should
> reassign it to scdaemon.  Does "git tag -S" work for you when you are
> *not* using a smartcard?

Oh, sorry if I was not clear enough: no, `git tag -S` does now work
without the YubiKey.

Given that I had actually missed Mickael's second post...

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568375#20>

...I tried everything again, starting with a fresh-new ~/.gnupg with
GnuPG 1:
=====
$ gpg --version | head -n 1
gpg (GnuPG) 1.4.18
$ gpg --list-secret-keys
$HOME/.gnupg/secring.gpg
-------------------------------------------
sec#  4096R/E397832F 2009-07-01
uid                  Luca Capello <luca at pca.it>
uid                  Luca Capello <gismo at debian.org>
uid                  Luca Capello <luca.capello at infomaniak.ch>
uid                  Luca Capello <luca.capello at infomaniak.com>
ssb   4096R/3BE9F36D 2009-07-01
ssb#  4096R/2BB95F4B 2009-07-01
ssb>  4096R/675E1031 2016-02-22
ssb>  4096R/A0ACD061 2016-02-22
ssb>  4096R/D18542FA 2016-02-22
$ grep -v -e '^#' -e '^$' ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
$ echo 'use-agent' >>~/.gnupg/gpg.conf
$ eval $(gpg-agent --daemon)
gpg-agent[13561]: directory $HOME/.gnupg/private-keys-v1.d' created
gpg-agent[13562]: gpg-agent (GnuPG) 2.1.11 started
$ mkdir test.git
$ cd test.git/
$ git init
Initialized empty Git repository in $HOME/test.git/.git/
$ echo 'test file' >file.txt
$ git add file.txt
$ git commit -m 'file.txt: new file'
gpg: pcsc_establish_context failed: no service (0x8010001d)
gpg: card reader not available
gpg: signing failed: general error
gpg: signing failed: general error
error: gpg failed to sign the data
fatal: failed to write commit object
$ git config --global user.signingkey 3BE9F36D
$ git commit -m 'file.txt: new file'
[error as above]
$ gpg --sign file.txt
[error as above]
$ gpg --default-key 3BE9F36D --sign file.txt
[error as above]
$ gpg --default-key E397832F --sign file.txt
[error as above]
$ gpg --default-key 3BE9F36D! --sign file.txt

You need a passphrase to unlock the secret key for
user: "Luca Capello <luca at pca.it>"
4096-bit RSA key, ID 3BE9F36D, created 2009-07-01 (main key ID E397832F)

gpg: gpg-agent is not available in this session
$ 
=====

WTF?

=====
$ export GPG_TTY=$(tty)
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent is not available in this session
$ unset GPG_TTY
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: malformed GPG_AGENT_INFO environment variable
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:1"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent protocol version 0 is not supported
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:2"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent protocol version 0 is not supported
$ ls -l ~/.gnupg/private-keys-v1.d/
total 0
$
=====

OK, so I guess everything is as expected.

Let me try with the YubiKey:
=====
[insert the YubiKey]
$ gpg --card-status
[...]
General key info..: pub  4096R/675E1031 2016-02-22 Luca Capello <luca at pca.it>
[...]
$ git config --unset --global user.signingkey 3BE9F36D
$ unset GPG_AGENT_INFO
$ git commit -m 'file.txt: new file'
gpg: signatures created so far: 1799

Please enter the PIN
[sigs done: 1799]
gpg: gpg-agent is not available in this session
Enter PIN:
gpg: Interrupt caught ... exiting

$ export GPG_TTY=$(tty)
$ git commit -m 'file.txt: new file'
[same as above]
$ git commit -m 'file.txt: new file'
gpg: signatures created so far: 1799

Please enter the PIN
[sigs done: 1799]
gpg: gpg-agent is not available in this session
[master (root-commit) 74bff88] file.txt: new file
 1 file changed, 1 insertion(+)
 create mode 100644 file.txt
$ git tag -s -m 'test file' test_file
gpg: signatures created so far: 1800

Please enter the PIN
[sigs done: 1800]
gpg: gpg-agent is not available in this session
$ 
=====

Similar to #802586, ssh works fine:
=====
$ pkill gpg-agent
$ echo 'enable-ssh-support' >~/.gnupg/gpg-agent.conf
$ eval $(gpg-agent --daemon)
$ ssh-add -l
4096 57:df:0d:67:82:4a:7f:80:15:80:5f:48:e6:e6:ae:06 cardno:0123456789ab (RSA)
$
=====

Let me try with GnuPG 2.1:
=====
$ ls -l /usr/bin/gpg
lrwxrwxrwx 1 root root 4 Feb 13 22:26 /usr/bin/gpg -> gpg2
$ gpg --version | head -n 1
gpg (GnuPG) 2.1.11
$ gpg --list-secret-keys
/home/users/luca.capello/.gnupg/pubring.kbx
-------------------------------------------
sec#  rsa4096/E397832F 2009-07-01 [SC]
uid         [ unknown] Luca Capello <luca at pca.it>
uid         [ unknown] Luca Capello <gismo at debian.org>
uid         [ unknown] Luca Capello <luca.capello at infomaniak.ch>
uid         [ unknown] Luca Capello <luca.capello at infomaniak.com>
ssb   rsa4096/3BE9F36D 2009-07-01 [SEA]
ssb#  rsa4096/2BB95F4B 2009-07-01 [E]
ssb#  rsa4096/675E1031 2016-02-22 [S] [expires: 2018-02-21]
ssb#  rsa4096/A0ACD061 2016-02-22 [E] [expires: 2018-02-21]
ssb#  rsa4096/D18542FA 2016-02-22 [A] [expires: 2018-02-21]

$ grep -v -e '^#' -e '^$' ~/.gnupg/gpg.conf
$ mkdir test.git
$ cd test.git/
$ git init
Initialized empty Git repository in $HOME/test.git/.git/
$ echo 'test file' >file.txt
$ git add file.txt
$ git commit -m 'file.txt: new file'
gpg: signing failed: No secret key
gpg: signing failed: No secret key
error: gpg failed to sign the data
fatal: failed to write commit object
$ git config --global user.signingkey 3BE9F36D
$ git commit -m 'file.txt: new file'
[same error as above, this is #829246]
$ git config --global user.signingkey 3BE9F36D!
$ git commit -m 'file.txt: new file'
[master (root-commit) bfeb91c] file.txt: new file
 1 file changed, 1 insertion(+)
 create mode 100644 file.txt
$ git tag -s -m 'test file' test_file
$
=====

FTR, with `git config --global user.signingkey 3BE9F36D!`, `git commit`
works with gpg1 as well, still without the agent.

> Please see https://bugs.debian.org/854005

Nothing related to GnuPG, but I am very sad that we need to ship the
same rules in at least 3 different debpkg:

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846359#44>

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170213/f8874bd1/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list