[pkg-gnupg-maint] Bug#851440: Bug#851440: sign_and_send_pubkey: signing failed: agent refused operation

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 18 08:47:18 UTC 2017 

On Sun 2017-01-15 11:35:59 -0500, Dominik George wrote:
>> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
>> stopped working:
>> 
>> sign_and_send_pubkey: signing failed: agent refused operation
>> 
>> I can, however, still see my authentication subkeys in ssh-add -l:
>> 
>> % ssh-add -l
>> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
>> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
>
> I found out this only happens when using the systemd user service.
> Disabling it and manually starting the agent works.

Do you have the dbus-user-session package installed?  What pinentry are
you using?

Can you try terminating your manually-launched agent, re-enabling and
restarting the systemd user service, and then telling gpg-agent to
update its "startuptty" ?

    gpg-connect-agent killagent /bye
    systemctl --user enable --now 'gpg-agent*.socket'
    gpg-connect-agent updatestartuptty /bye

then try using gpg-agent for ssh-agent again.  does it work?

if so, then the issue has to do with the interaction between pinentry
and the systemd user services, and the fact that the ssh-agent protocol
doesn't have a way for a client to provide any hints or feedback to the
ssh-agent daemon about how to contact the user.

This impedance mismatch between ssh-agent and gpg-agent makes it
difficult for gpg-agent to know how to prompt the user by default.  But
if you're using pinentry-gnome3 and dbus-user-session then the agent
will just know automatically how to prompt the user, because the user
services will know to use the same dbus session that pinentry-gnome3
uses to provide feedback to the user.

hth,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170118/f228533f/attachment.sig>

More information about the pkg-gnupg-maint mailing list