guix home pinentry weirdness

  • Open
  • quality assurance status badge
Details
3 participants
  • Andrew Tropin
  • Liliana Marie Prikler
  • Zacchaeus Scheffer
Owner
unassigned
Submitted by
Zacchaeus Scheffer
Severity
normal
Z
Z
Zacchaeus Scheffer wrote on 15 Feb 2022 19:46
(address . bug-guix@gnu.org)
CAJejy7nqsJVKzzYBHJ=sEMFmYF-9sE4K8QB2S4rf5E2YcJaMnA@mail.gmail.com
Hi Guix,

There seems to be some problem installing password-store + pinentry
entirely via guix home. When I have both installed as such, I get the
following outputs:

$ pinentry
OK Pleased to meet you
<C-c>
$ gpg --import ...
[prompts normally with pinentry, allows me to import]
$ pass
[my password entries]
$ pass [entry name]
gpg: decryption failed: No secret key
$ guix package -i pinentry
$ pass [entry name]
[prompts with pinentry and works normally]

So pinentry and pass seem to both be available, but don't work together
unless I install pinentry via guix package.

My guix install is about two months behind, so sorry if this has already
been patched.

-Zacchaeus
Attachment: file
Z
Z
Zacchaeus Scheffer wrote on 15 Feb 2022 21:16
(address . 54014@debbugs.gnu.org)
CAJejy7nTKQjOwrCy9s8M_J1PoNmg-CJL8tqk84=Da6K96B3V_A@mail.gmail.com
I thought it might be important to confirm package versions. Here is some
sample commands and their output:

before guix package -i pinentry (pass not giving pinentry prompt)

$ ls -l $(which -a pinentry)
lrwxrwxrwx 1 root root 71 Dec 31 1969
/home/zacchae/.guix-home/profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry

after guix package -i pinentry (pass works normally)

$ ls -l $(which -a pinentry)
lrwxrwxrwx 1 root root 71 Dec 31 1969
/home/zacchae/.guix-home/profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry
lrwxrwxrwx 1 root root 71 Dec 31 1969
/home/zacchae/.guix-profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry

So it's not as simple as a version mismatch.

-Zacchaeus
Attachment: file
L
L
Liliana Marie Prikler wrote on 16 Feb 2022 08:55
b5785e97a42d9f575a25476907d76332c7d83b35.camel@ist.tugraz.at
Hi Zacchaeus,

Am Dienstag, dem 15.02.2022 um 15:16 -0500 schrieb Zacchaeus Scheffer:
Toggle quote (21 lines)
> I thought it might be important to confirm package versions.  Here is
> some sample commands and their output:
>
> before guix package -i pinentry (pass not giving pinentry prompt)
>
> $ ls -l $(which -a pinentry)
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> home/profile/bin/pinentry ->
> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-
> 1.2.0/bin/pinentry
>
> after guix package -i pinentry (pass works normally)
>
> $ ls -l $(which -a pinentry)
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> home/profile/bin/pinentry ->
> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-
> 1.2.0/bin/pinentry
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> profile/bin/pinentry -> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-
> pinentry-1.2.0/bin/pinentry
Did you duplicate the output here?

In any case, the issue you're describing would make sense if pass was
calling pinentry as simply "pinentry" rather than by store path. AFAIK
gpg has a configuration key telling it which pinentry to spawn -- I
personally set that to /run/current-system/profile/bin/pinentry-gnome3
on most of my machines. Does pass adhere to that setting or does it
try to call pinentry on its own?

Cheers
A
A
Andrew Tropin wrote on 4 Jul 2022 07:50
Re: bug#54014: guix home pinentry weirdness
877d4t5sue.fsf@trop.in
On 2022-02-15 13:46, Zacchaeus Scheffer wrote:

Toggle quote (27 lines)
> Hi Guix,
>
> There seems to be some problem installing password-store + pinentry
> entirely via guix home. When I have both installed as such, I get the
> following outputs:
>
> $ pinentry
> OK Pleased to meet you
> <C-c>
> $ gpg --import ...
> [prompts normally with pinentry, allows me to import]
> $ pass
> [my password entries]
> $ pass [entry name]
> gpg: decryption failed: No secret key
> $ guix package -i pinentry
> $ pass [entry name]
> [prompts with pinentry and works normally]
>
> So pinentry and pass seem to both be available, but don't work together
> unless I install pinentry via guix package.
>
> My guix install is about two months behind, so sorry if this has already
> been patched.
>
> -Zacchaeus

I suspect that the problem is that someone at some moment of time
doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
find a pinentry. Can you show `which gpg`, `which pass`, `which
pinentry`?

The gnupg home service from rde project goes a slightly other way and
just sets pinentry-program to absolute path in the store. Such approach
works with pass well, you can take a look at it for inspiration:

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmLCf7kACgkQIgjSCVjB
3rCGmA/+IxpJI/7I4f6miaI+au/yRhPnVT3JQ9/He6rLPvsZyYWxl7B9VnHpIGlH
ou4I7sqYqghCcgVkR6xxEBXlHz35rQ3HBqJUSPccK5xhkhisO1JYzrLkTS8jEzDZ
2yBn/dWSjOUk0xCO+XvvfnJ/F3byYH1EZHV5n9l/wbbyugwNsiWfq2w29oyvA87V
N4Zythww/Zpdj4agqKPgjOZ7IK5N4WLCqgKLzquPyrFH9lMa3irEqlG9zq3LnMTB
ldTJa44ODCWr3qc5PAF4RyT8UNE8O+lA2IIERXunT6329d8bJgJzYXCMrcwDR4ep
VH60IblIvfuiehyFjcrQiPICIg2qMd3oUQJRk1InfGuyJtOIxT2t50WI9fh3OJDw
LFWqVpR9UbUJ+k1eqryN/P4udnbnnE6kcAQcM942E6p7/RycnBNj3G4igJoHk3Dm
Y6NhIsxSp2NJEUFUA420gVhW4NtFFi6W7xxOY3+a+eX2Dln1wWGJILrNQh1evx6u
TfbtvFWtMjU0MRHF4bHOMOAYCToEzmZkKB/Y4n2sphqwX5xcXiv3iUm4q/WI7k4S
7I7m0D3m2L/JSP4gZHd8++g01M7ga/N0VOJLTHY2wzUjz4uElmSvVYa/XQLpzlsD
C1AHnzE/9RENGXHsS9SrA0CnZSg17vcg85YSP6hrjQABTc3lqBM=
=K/8n
-----END PGP SIGNATURE-----

Z
Z
Zacchaeus Scheffer wrote on 17 Jul 2022 06:44
CAJejy7k9EqDHOwHJiaOXu3OdJurxoqu+e2-_v3Z5rDrkpDD5Ww@mail.gmail.com
On Mon, Jul 4, 2022 at 1:50 AM Andrew Tropin <andrew@trop.in> wrote:

Toggle quote (26 lines)
> On 2022-02-15 13:46, Zacchaeus Scheffer wrote:
> > There seems to be some problem installing password-store + pinentry
> > entirely via guix home. When I have both installed as such, I get the
> > following outputs:
> >
> > $ pinentry
> > OK Pleased to meet you
> > <C-c>
> > $ gpg --import ...
> > [prompts normally with pinentry, allows me to import]
> > $ pass
> > [my password entries]
> > $ pass [entry name]
> > gpg: decryption failed: No secret key
> > $ guix package -i pinentry
> > $ pass [entry name]
> > [prompts with pinentry and works normally]
> >
> > So pinentry and pass seem to both be available, but don't work together
> > unless I install pinentry via guix package.
>
> I suspect that the problem is that someone at some moment of time
> doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
> find a pinentry. Can you show `which gpg`, `which pass`, `which
> pinentry`?
>
Before running "guix package -i pinentry"
$ which -a pinentry
/home/zacchae/.guix-home/profile/bin/pinentry
$ which -a gpg
/home/zacchae/.guix-home/profile/bin/gpg
$ which -a pass
/home/zacchae/.guix-home/profile/bin/pass
After runing "guix package -i pinentry"
$ which -a pinentry
/home/zacchae/.guix-home/profile/bin/pinentry
/home/zacchae/.guix-profile/bin/pinentry
$ which -a gpg
/home/zacchae/.guix-home/profile/bin/gpg
$ which -a pass
/home/zacchae/.guix-home/profile/bin/pass

I can easily reproduce the behavior by removing or installing pinentry with
guix package. Paths behave as expected.

The gnupg home service from rde project goes a slightly other way and
Toggle quote (5 lines)
> just sets pinentry-program to absolute path in the store. Such approach
> works with pass well, you can take a look at it for inspiration:
>
> https://git.sr.ht/~abcdw/rde/tree/master/item/gnu/home-services/gnupg.scm#L127
>
I don't totally follow what's going on here, but maybe it will make more
sense later.
Attachment: file
A
A
Andrew Tropin wrote on 18 Jul 2022 09:02
87r12i6gz4.fsf@trop.in
On 2022-07-17 00:44, Zacchaeus Scheffer wrote:

Toggle quote (47 lines)
> On Mon, Jul 4, 2022 at 1:50 AM Andrew Tropin <andrew@trop.in> wrote:
>
>> On 2022-02-15 13:46, Zacchaeus Scheffer wrote:
>> > There seems to be some problem installing password-store + pinentry
>> > entirely via guix home. When I have both installed as such, I get the
>> > following outputs:
>> >
>> > $ pinentry
>> > OK Pleased to meet you
>> > <C-c>
>> > $ gpg --import ...
>> > [prompts normally with pinentry, allows me to import]
>> > $ pass
>> > [my password entries]
>> > $ pass [entry name]
>> > gpg: decryption failed: No secret key
>> > $ guix package -i pinentry
>> > $ pass [entry name]
>> > [prompts with pinentry and works normally]
>> >
>> > So pinentry and pass seem to both be available, but don't work together
>> > unless I install pinentry via guix package.
>>
>> I suspect that the problem is that someone at some moment of time
>> doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
>> find a pinentry. Can you show `which gpg`, `which pass`, `which
>> pinentry`?
>>
> Before running "guix package -i pinentry"
> $ which -a pinentry
> /home/zacchae/.guix-home/profile/bin/pinentry
> $ which -a gpg
> /home/zacchae/.guix-home/profile/bin/gpg
> $ which -a pass
> /home/zacchae/.guix-home/profile/bin/pass
> After runing "guix package -i pinentry"
> $ which -a pinentry
> /home/zacchae/.guix-home/profile/bin/pinentry
> /home/zacchae/.guix-profile/bin/pinentry
> $ which -a gpg
> /home/zacchae/.guix-home/profile/bin/gpg
> $ which -a pass
> /home/zacchae/.guix-home/profile/bin/pass
>
> I can easily reproduce the behavior by removing or installing pinentry with
> guix package. Paths behave as expected.

Probably there are some hardcoded PATHs for .guix-profile, but not for
.guix-home/profile. One of such examples, which can be unrelated to the
current issue:

It will require investigation to find all the places, where and at what
time PATH (and maybe some other env vars) is/are set for all the
participants of the party to trace the root of the problem and properly
solve it =) Anyway, there is a workaround, which should help:

Toggle quote (10 lines)
>
> The gnupg home service from rde project goes a slightly other way and
>> just sets pinentry-program to absolute path in the store. Such approach
>> works with pass well, you can take a look at it for inspiration:
>>
>> https://git.sr.ht/~abcdw/rde/tree/master/item/gnu/home-services/gnupg.scm#L127
>>
> I don't totally follow what's going on here, but maybe it will make more
> sense later.

Basically it adds the following content to gpg-agent.conf:

Toggle snippet (4 lines)
enable-ssh-support
pinentry-program /gnu/store/r5j2gmfv8akp8p746l6jqy5qwpz0zkhm-pinentry-qt-1.2.0/bin/pinentry-qt

You can try to set pinentry-program to
/home/zacchae/.guix-home/profile/bin/pinentry

Or better directly use gnupg home service.

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmLVBY8ACgkQIgjSCVjB
3rC5tg//eHdxf8mM301JLMIhXyfWoJZuV6Ry5gI6DU80wOUpiYYc6yD2VbupY0Sd
Wo7O0maOlSuIUsYs8d2/usyOSPwcq7vHmRN3FU3j08Nt57k+ls3QxOA+M71rSQC7
98t+x3gTleBr4QVxbOSWI2w5GjyF0QDkJlXcvlD2y78+/hlDtqj/1cdJKhjhuq76
zYtobN7k7auQ3NXKie1oTPNHZ5k5LbHWrWMxCT7RaMHVukKjAwQiR8E7SR50mu4e
cy4pyGidrGR+vDrGxWnKRX8d0hHb2hhvWJsx2nPCRkOOgV8eigG1jfu7ZDyyiKCm
aO+JBhkwJDMU6ktjYnS2UD+AGf/YCitPZ/+23qMfLJ+6I8kmy6jBLQlwrTY2gnZu
wnio3x4TXK0QCSD9SQ7DR03RBK+wxRnP7K4P2N01YXUYGtFdbGe8jWKg2tQMDKN7
hYPXODAXJ6XvBSLz4rvQAFZkCIfUVbuD3oeBYT3Qu/j4vKxUky8VxowMeNQuKjtX
daGewTGWSeGezJyqw+8iZZgu8sybe68IbW5niz0ccTBO112h/13p9rGFqqL2NF4R
gk0JEqHzRVZv8WEf18DJHFMfQ47ZXbcpYYZp6z0xuJEzvLKO16ukWPJaxlYy4F0v
JnpJ/6uHbcl+JJqsFsJvDpGSXlIFAuIQwULk+34K2cu/h3QOSVY=
=Tzm5
-----END PGP SIGNATURE-----

?