[Pkg-mozext-maintainers] Bug#870073: Bug#870073: enigmail: Does not encrypt and gives alerts after upgrade to Thunderbird 52

Paul van der Vlis paul at vandervlis.nl
Mon Aug 7 17:57:41 UTC 2017 

Hello Daniel,

Op 07-08-17 om 18:57 schreef Daniel Kahn Gillmor:
> Control: retitle 870073 enigmail: [jessie only] enigmail needs access to a running gpg-agent
> 
> On Sun 2017-08-06 16:16:18 +0200, Paul van der Vlis wrote:
>> Op 31-07-17 om 23:38 schreef Daniel Kahn Gillmor:
>>> I haven't seen this message at all.  are you certain that gpg-agent is
>>> running?
>>
>> I don't see it when I using "ps aux".
> 
> ok, this is an issue that is specific to debian jessie only.  on stretch
> and later, the gpg-agent has an autolaunch mechanism that avoids these
> problems entirely.

Aha.

>>> Do you ever see a dialog box that prompts you for your gpg
>>> password?
>>
>> When I first use Enigmail I am asked for a password. After that, I can
>> use Enigmail without any question about a password (I don't like this
>> behaviour. But I don't know how to turn it off).
> 
> It sounds like enigmail is auto-launching an agent during key
> generation, and using it for the rest of the session.  I'd imagine if
> you "killall gpg-agent" after key creation you will find that enigmail
> no longer works.

I have not created a keypair, I have an excisting keypair what I use.

> enigmail 1.9.8.1 expects gpg to use a gpg agent process.  It does not
> prompt the user for a passphrase during normal use.

Aha.

>>> Can you try adding "use-agent" to your ~/.gnupg/gpg.conf  and then
>>> logging out and logging back in again?
>>
>> Yes, the behaviour is still there when I use "use-agent" in
>> ~/.gnupg/gpg.conf and logout and login again.
>>
>> But then I see gpg-agent running with "ps aux".
> 
> this is strange.  what do the following commands show when you've logged
> in with "use-agent" running?
> 
> 
>      echo $GPG_AGENT_INFO

/run/user/1000/keyring/gpg:0:1

>      gpg-connect-agent 'getinfo socket_name' /bye

ERR 280 not implemented

>> The following tests are without "use-agent" in my gpg.conf.
> 
> you should put use-agent in gpg.conf if you want to use enigmail 

I've done that now, but it does not work OK.

> -- or
> you should upgrade to stretch where it is on by default. :)

I would like to find out this problem first.

>>> As a workaround, please also try closing thunderbird and then
>>> re-launching it with the following command:
>>>
>>>     gpg-agent --daemon thunderbird
>>>
>>> Does that cause the error message to go away?
>>
>> Now, I get another dialog window asking me for the password. It has
>> "pinentry" in the title.
>> I don't get an error anymore while decrypting.
>> Encryption seems to be OK, and asks again for a password.
>>
>> So this looks-like OK, but different as normal.
> 
> this is a workaround for you not having "use-agent" in your gpg.conf.

I think it's also a workarround for the Gnome-keyring-hijaking...

>> Maybe this is interesting:
>> gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
>> gpg: WARNING: GnuPG will not work properly - please configure that tool
>> to not interfere with the GnuPG system!
>>
>> I am using Cinnamon as my desktop-environment, and GDM3 as display manager.
> 
> please see:
> 
>    https://wiki.gnupg.org/GnomeKeyring

I did now as root:
dpkg-divert --local --rename --divert \
  /etc/xdg/autostart/gnome-keyring-gpg.desktop-disable \
  --add /etc/xdg/autostart/gnome-keyring-gpg.desktop

And I logged out and in again. Now I can use Enigmail, but it works not
really nice. Before I could turn-on encrypting and signing using the
menu. Now it says default "encrypt (auto)" and it's not clear if it's
encrypting or not. If I click on it, it says "encrypt" without "(auto)"
and then it works, but I cannot turn it off anymore using the menu. But
maybe this is new and normal.

> for information about gnome-keyring and gpg-agent.  modern versions of
> gnome-keyring and gpg-agent play nicer together.
> 
>> 2017-08-06 16:00:06.149 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='/run/user/1000/keyring/gpg:0:1'
> 
> This is very surprising to me, especially for gpg-agent 2.0.26.  I don't
> think that version of gpg-agent used /run/user -- i would expect it
> instead to use something like /tmp/gpg-1uGi7D/S.gpg-agent:679:1
> 
> where is this value coming from?  have you modified any config files, or
> tried to mix packages across versions of the distro?

No, my installation is "clean". I don't do strange things on this
production machine. But maybe I have copied my ~/.gnupg directory from
my old computer and are there now other defaults.

> I'm still not able to reproduce the specific behavior you describe,
> unfortunately.

Maybe this is interesting for you:
-------
paul at laptopp:~$ echo $GPG_AGENT_INFO
/tmp/gpg-ti0k4C/S.gpg-agent:10207:1
paul at laptopp:~$
paul at laptopp:~$ gpg-connect-agent 'getinfo socket_name' /bye
D /tmp/gpg-ti0k4C/S.gpg-agent
OK
paul at laptopp:~$
------

This is after the "dpkg-divert" command.

So I think what other people with this probleme have to do is:
---------
echo "use-agent" >> ~/.gnupg/gpg.conf

sudo dpkg-divert --local --rename --divert \
  /etc/xdg/autostart/gnome-keyring-gpg.desktop-disable \
  --add /etc/xdg/autostart/gnome-keyring-gpg.desktop

logout and login again.
---------

Thanks very much for your help!

With regards,
Paul van der Vlis


-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

More information about the Pkg-mozext-maintainers mailing list