gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

  • Done
  • quality assurance status badge
Details
8 participants
  • Alexandre Hannud Abdo
  • Alex Kost
  • Federico Beffa
  • Brice Waegeneire
  • Danny Milosavljevic
  • Leo Famulari
  • Ludovic Courtès
  • Robert Vollmert
Owner
unassigned
Submitted by
Danny Milosavljevic
Severity
important
Merged with
D
D
Danny Milosavljevic wrote on 26 Jul 2016 18:05
(address . bug-guix@gnu.org)
20160726180507.21e5e8e0@scratchpost.org
dannym@dayas ~/src/guix$ strace -f git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry
[pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28
[pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37
[pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
[pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32

dannym@dayas ~$ which pinentry
/home/dannym/.guix-profile/bin/pinentry
dannym@dayas ~$ pinen<TAB>
pinentry pinentry-curses pinentry-gtk-2 pinentry-tty
dannym@dayas ~$ pinentry
OK Pleased to meet you
L
L
Ludovic Courtès wrote on 26 Jul 2016 22:30
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 24076@debbugs.gnu.org)
87poq016rt.fsf@gnu.org
Danny Milosavljevic <dannym@scratchpost.org> skribis:

Toggle quote (13 lines)
> dannym@dayas ~/src/guix$ strace -f git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry
> [pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28
> [pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
>
> dannym@dayas ~$ which pinentry
> /home/dannym/.guix-profile/bin/pinentry
> dannym@dayas ~$ pinen<TAB>
> pinentry pinentry-curses pinentry-gtk-2 pinentry-tty
> dannym@dayas ~$ pinentry
> OK Pleased to meet you

My ~/.gnupg/gpg-agent.conf file reads this:

Toggle snippet (3 lines)
pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2

… and I have:

Toggle snippet (4 lines)
$ guix package --list-installed=pinentry
pinentry 0.9.7 out /gnu/store/2ngvzmsmjykaiv697ffnl7ajc3dm0rrh-pinentry-0.9.7

Could it be that you’re missing one of these?

HTH,
Ludo’.
D
D
Danny Milosavljevic wrote on 27 Jul 2016 11:54
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24076@debbugs.gnu.org)
20160727115405.704f02ac@scratchpost.org
Hi Ludo,

Toggle quote (6 lines)
> My ~/.gnupg/gpg-agent.conf file reads this:
>
> --8<---------------cut here---------------start------------->8---
> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
> --8<---------------cut here---------------end--------------->8---

Yes, the file didn't exist. I created it and it works now.

I did install the pinentry package, though.

Do you think it would make sense to put this in the skeleton for new user accounts?

It wouldn't matter if it's were not installed then - then the user will get an error message and would install it (hopefully). But then it would work.
L
L
Ludovic Courtès wrote on 27 Jul 2016 13:01
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 24076@debbugs.gnu.org)
878twnz6o4.fsf@gnu.org
Hi,

Danny Milosavljevic <dannym@scratchpost.org> skribis:

Toggle quote (8 lines)
>> My ~/.gnupg/gpg-agent.conf file reads this:
>>
>> --8<---------------cut here---------------start------------->8---
>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>> --8<---------------cut here---------------end--------------->8---
>
> Yes, the file didn't exist. I created it and it works now.

Great.

Toggle quote (4 lines)
> I did install the pinentry package, though.
>
> Do you think it would make sense to put this in the skeleton for new user accounts?

Maybe. Ideally, this would be addressed by GnuPG itself, which should
somehow make it easier to set it up, because there’s nothing
GuixSD-specific here AFAICS. What do other distros do to help?

Thanks,
Ludo’.
A
A
Alex Kost wrote on 28 Jul 2016 11:56
(name . Ludovic Courtès)(address . ludo@gnu.org)
87popy13x6.fsf@gmail.com
Ludovic Courtès (2016-07-27 14:01 +0300) wrote:

Toggle quote (22 lines)
> Hi,
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>> --8<---------------cut here---------------end--------------->8---
>>
>> Yes, the file didn't exist. I created it and it works now.
>
> Great.
>
>> I did install the pinentry package, though.
>>
>> Do you think it would make sense to put this in the skeleton for new user accounts?
>
> Maybe. Ideally, this would be addressed by GnuPG itself, which should
> somehow make it easier to set it up, because there’s nothing
> GuixSD-specific here AFAICS. What do other distros do to help?

My guess: other distros do nothing, because GnuPG searches for
pinentries in a default bindir, I mean in a dir where gpg is placed
(/usr/bin or whatever).

IMO this is Guix-specific, as you have to run gpg-agent with
--pinentry-program option (or specify it in the "gpg-agent.conf" file).

--
Alex
L
L
Ludovic Courtès wrote on 28 Jul 2016 13:52
(name . Alex Kost)(address . alezost@gmail.com)
87shuuj7y4.fsf@gnu.org
Alex Kost <alezost@gmail.com> skribis:

Toggle quote (31 lines)
> Ludovic Courtès (2016-07-27 14:01 +0300) wrote:
>
>> Hi,
>>
>> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>>
>>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> Yes, the file didn't exist. I created it and it works now.
>>
>> Great.
>>
>>> I did install the pinentry package, though.
>>>
>>> Do you think it would make sense to put this in the skeleton for new user accounts?
>>
>> Maybe. Ideally, this would be addressed by GnuPG itself, which should
>> somehow make it easier to set it up, because there’s nothing
>> GuixSD-specific here AFAICS. What do other distros do to help?
>
> My guess: other distros do nothing, because GnuPG searches for
> pinentries in a default bindir, I mean in a dir where gpg is placed
> (/usr/bin or whatever).
>
> IMO this is Guix-specific, as you have to run gpg-agent with
> --pinentry-program option (or specify it in the "gpg-agent.conf" file).

Good point.

What about having GnuPG depend on pinentry-tty, and configuring it with:

--with-pinentry-pgm=/path/to/pinentry-tty

? That would at least provide a reasonable default. The closure size
of GnuPG would increase from 220 to 243 MiB (+10%).

Most of the time, people will want to use pinentry-gtk though.

Another option would be to change ‘gnupg_module_name’, in homedir.c, from:

Toggle snippet (8 lines)
case GNUPG_MODULE_NAME_PINENTRY:
#ifdef GNUPG_DEFAULT_PINENTRY
return GNUPG_DEFAULT_PINENTRY;
#else
X(bindir, "pinentry");
#endif

to something like:

Toggle snippet (4 lines)
case GNUPG_MODULE_NAME_PINENTRY:
X(homedir, ".guix-profile/bin/pinentry);

… in which case GnuPG would default to the user-installed pinentry, if
available. Not perfect either, but closer to what other distros do.

Thoughts?

Ludo’.
D
D
Danny Milosavljevic wrote on 28 Jul 2016 14:04
(name . Ludovic Courtès)(address . ludo@gnu.org)
20160728140441.5e8a0db0@scratchpost.org
Toggle quote (21 lines)
> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>
> --8<---------------cut here---------------start------------->8---
> case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
> return GNUPG_DEFAULT_PINENTRY;
> #else
> X(bindir, "pinentry");
> #endif
> --8<---------------cut here---------------end--------------->8---
>
> to something like:
>
> --8<---------------cut here---------------start------------->8---
> case GNUPG_MODULE_NAME_PINENTRY:
> X(homedir, ".guix-profile/bin/pinentry);
> --8<---------------cut here---------------end--------------->8---
>
> … in which case GnuPG would default to the user-installed pinentry, if
> available. Not perfect either, but closer to what other distros do.

I would like that, yes. It's not like the X(bindir, "pinentry") would ever work in GuixSD anyway - so no loss.
A
A
Alex Kost wrote on 28 Jul 2016 19:58
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)
8737mtr6ey.fsf@gmail.com
Danny Milosavljevic (2016-07-28 15:04 +0300) wrote:

Toggle quote (24 lines)
>> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>>
>> --8<---------------cut here---------------start------------->8---
>> case GNUPG_MODULE_NAME_PINENTRY:
>> #ifdef GNUPG_DEFAULT_PINENTRY
>> return GNUPG_DEFAULT_PINENTRY;
>> #else
>> X(bindir, "pinentry");
>> #endif
>> --8<---------------cut here---------------end--------------->8---
>>
>> to something like:
>>
>> --8<---------------cut here---------------start------------->8---
>> case GNUPG_MODULE_NAME_PINENTRY:
>> X(homedir, ".guix-profile/bin/pinentry);
>> --8<---------------cut here---------------end--------------->8---
>>
>> … in which case GnuPG would default to the user-installed pinentry, if
>> available. Not perfect either, but closer to what other distros do.
>
> I would like that, yes. It's not like the X(bindir, "pinentry") would
> ever work in GuixSD anyway - so no loss.

(Not only GuixSD, but Guix in general)

I agree, this would be better than the current situation.

--
Alex
F
F
Federico Beffa wrote on 14 Oct 2016 08:45
(address . 24076@debbugs.gnu.org)
CAKrPhPM5UcDkkz0h7MLKK2GJPn4bY6GyGg5W7zMGA43oHC-nfQ@mail.gmail.com
Note that installing 'gnupg' doesn't automatically bring in
'pinentry'. For this reason installing 'gnupg' doesn't work out of the
box as a user would expect:

gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry


Fede
L
L
Ludovic Courtès wrote on 14 Oct 2016 15:16
(name . Federico Beffa)(address . beffa@ieee.org)(address . 24076@debbugs.gnu.org)
871szjax4r.fsf@gnu.org
Federico Beffa <beffa@ieee.org> skribis:

Toggle quote (7 lines)
> Note that installing 'gnupg' doesn't automatically bring in
> 'pinentry'. For this reason installing 'gnupg' doesn't work out of the
> box as a user would expect:
>
> gpg: agent_genkey failed: No pinentry
> Key generation failed: No pinentry

I agree that this is a problem. A fix that would work is the 2nd option
outlined at:


Haven’t taken the time to look into it yet!

Ludo’.
R
R
Robert Vollmert wrote on 22 Jul 2019 13:44
gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is
(address . 24076@debbugs.gnu.org)
E02B2A78-B025-4723-A296-5E88357E60F0@vllmrt.net
Just to note that this is still a problem. I just installed
gnupg (via guix install gnupg), and gpg --generate-keys fails
due to missing pinentry. I had to find this bug report to
work around this.
B
B
Brice Waegeneire wrote on 20 Mar 2020 21:36
merge 37266 24076
(address . control@debbugs.gnu.org)
b767d0eb10e4a8c78b1ad74488c636be@waegenei.re
severity 24076 important
merge 37266 24076
quit
L
L
Ludovic Courtès wrote on 26 Mar 2020 13:09
Re: bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is
(name . Alex Kost)(address . alezost@gmail.com)
87pncz9v23.fsf@gnu.org
Hi!

ludo@gnu.org (Ludovic Courtès) skribis:

Toggle quote (27 lines)
> What about having GnuPG depend on pinentry-tty, and configuring it with:
>
> --with-pinentry-pgm=/path/to/pinentry-tty
>
> ? That would at least provide a reasonable default. The closure size
> of GnuPG would increase from 220 to 243 MiB (+10%).
>
> Most of the time, people will want to use pinentry-gtk though.
>
> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>
> case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
> return GNUPG_DEFAULT_PINENTRY;
> #else
> X(bindir, "pinentry");
> #endif
>
>
> to something like:
>
> case GNUPG_MODULE_NAME_PINENTRY:
> X(homedir, ".guix-profile/bin/pinentry);
>
> … in which case GnuPG would default to the user-installed pinentry, if
> available. Not perfect either, but closer to what other distros do.

I (finally!) implemented this second option in commit
c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

I confirmed that it has the indented effect like this:

Toggle snippet (27 lines)
ludo@ribbon ~/src/guix$ ./pre-inst-env guix environment --ad-hoc gnupg strace coreutils sed grep -C
ludo@ribbon ~/src/guix [env]$ strace -f -o ,,s -s 500 gpg --generate-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/ludo/.gnupg' created
gpg: keybox '/home/ludo/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Foo Bar
Email address: foo@example.org
You selected this USER-ID:
"Foo Bar <foo@example.org>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry


where the strace log shows:

10 execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory)

So now one just needs to install one of the pinentry packages.

Thanks,
Ludo’.
Closed
L
L
Leo Famulari wrote on 27 Mar 2020 21:02
(address . 24076@debbugs.gnu.org)(address . ludo@gnu.org)
20200327200226.GA14330@jasmine.lan
On Thu, Mar 26, 2020 at 01:09:40PM +0100, Ludovic Court�s wrote:
Toggle quote (3 lines)
> I (finally!) implemented this second option in commit
> c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

It still doesn't work for me :/

Toggle quote (1 lines)
> I confirmed that it has the indented effect like this:
[...]
Toggle quote (4 lines)
> where the strace log shows:
>
> 10 execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory)

This path includes the ~/.gnupg directory, so users need to do `export
GNUPGHOME=$HOME` for the lookup to work.

Is it okay to make GnuPG do that automatically when building the path in
get_default_pinentry_name()?
L
L
Leo Famulari wrote on 27 Mar 2020 23:48
[PATCH] gnu: GnuPG: Really use ~/.guix-profile/bin/pinentry by default.
(address . 24076@debbugs.gnu.org)
f71a360068e4dd9794c4f114361213e7569ff914.1585349180.git.leo@famulari.name
This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

This patch does as expected for me! But it's been some years since I
wrote C code, so I copy existing functions and fought through compiler
errors to write this — please give a close review.

* gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find
the user's Guix profile and installed pinentry.
---
.../patches/gnupg-default-pinentry.patch | 39 +++++++++++++++----
1 file changed, 32 insertions(+), 7 deletions(-)

Toggle diff (54 lines)
diff --git a/gnu/packages/patches/gnupg-default-pinentry.patch b/gnu/packages/patches/gnupg-default-pinentry.patch
index 272f4b53dc..5a3189b98a 100644
--- a/gnu/packages/patches/gnupg-default-pinentry.patch
+++ b/gnu/packages/patches/gnupg-default-pinentry.patch
@@ -1,15 +1,40 @@
-Default to the pinentry program installed in ~/.guix-profile.
-
diff --git a/common/homedir.c b/common/homedir.c
-index e9e75d0..74e0aaf 100644
+index 4b6e46e88..de71e97b1 100644
--- a/common/homedir.c
+++ b/common/homedir.c
-@@ -968,7 +968,7 @@ get_default_pinentry_name (int reset)
+@@ -67,6 +67,10 @@
+ * gnupg_homedir and gnupg_set_homedir. Malloced. */
+ static char *the_gnupg_homedir;
+
++/* The user's home directory. Used in Guix to help GnuPG find the
++ * pinentry. */
++static char *the_user_homedir;
++
+ /* Flag indicating that home directory is not the default one. */
+ static byte non_default_homedir;
+
+@@ -509,6 +513,16 @@ gnupg_homedir (void)
+ return the_gnupg_homedir;
+ }
+
++/* Return the user's home directory */
++const char *
++user_homedir (void)
++{
++ const char *dir;
++ dir = getenv("HOME");
++ if (!the_user_homedir)
++ the_user_homedir = make_absfilename (dir, NULL);
++ return the_user_homedir;
++}
+
+ /* Return whether the home dir is the default one. */
+ int
+@@ -971,6 +985,7 @@ get_default_pinentry_name (int reset)
} names[] = {
/* The first entry is what we return in case we found no
other pinentry. */
-- { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S },
-+ { gnupg_homedir, "/.guix-profile/bin/pinentry" },
++ { user_homedir, "/.guix-profile/bin/pinentry" },
+ { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S },
#ifdef HAVE_W32_SYSTEM
/* Try Gpg4win directory (with bin and without.) */
- { w32_rootdir, "\\..\\Gpg4win\\bin\\pinentry.exe" },
--
2.26.0
L
L
Ludovic Courtès wrote on 29 Mar 2020 16:57
(name . Leo Famulari)(address . leo@famulari.name)(address . 24076@debbugs.gnu.org)
87ftdryzs2.fsf@gnu.org
Hi Leo!

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (9 lines)
> This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.
>
> This patch does as expected for me! But it's been some years since I
> wrote C code, so I copy existing functions and fought through compiler
> errors to write this — please give a close review.
>
> * gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find
> the user's Guix profile and installed pinentry.

Thanks for fixing it, and apologies for the mistake!

Toggle quote (7 lines)
> ++/* Return the user's home directory */
> ++const char *
> ++user_homedir (void)
> ++{
> ++ const char *dir;
> ++ dir = getenv("HOME");

Here I’d add:

if (dir == NULL)
{
struct password *pw;
pw = getpwuid (getuid ());
if (pw != NULL)
dir = pw->pw_dir;
else
dir = "/";
}

Otherwise LGTM!

Ludo’.
L
L
Leo Famulari wrote on 29 Mar 2020 21:27
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24076-done@debbugs.gnu.org)
20200329192746.GA16678@jasmine.lan
On Sun, Mar 29, 2020 at 04:57:33PM +0200, Ludovic Courtès wrote:
Toggle quote (14 lines)
> Here I’d add:
>
> if (dir == NULL)
> {
> struct password *pw;
> pw = getpwuid (getuid ());
> if (pw != NULL)
> dir = pw->pw_dir;
> else
> dir = "/";
> }
>
> Otherwise LGTM!

Thanks, good idea! Pushed as e5b44b06b3fb19c897fb3e430bd41941905e101f
Closed
A
A
Alexandre Hannud Abdo wrote on 22 Apr 2021 23:43
(address . control@debbugs.gnu.org)
8c9825b8e41f4dcfd9ecd9f0351b3d73eebee325.camel@member.fsf.org
unarchive 24076
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQQ4aRTDkc5D704CYnMQUI+lk7e+bQUCYIHuHAAKCRAQUI+lk7e+
badoAJwJdK4XrqTpviE7KTetMMG2GhOWGwCdG6OE73MnZUfQu32I0Lj8OydxmYo=
=2Z9Z
-----END PGP SIGNATURE-----


A
A
Alexandre Hannud Abdo wrote on 22 Apr 2021 23:49
(address . 24076@debbugs.gnu.org)
a1ec1b565e1e9075ccb26f2c33f3d75c68835bce.camel@member.fsf.org
Ni! For info, when installing Guix System with the gnome service,
pinentry is installed but it's in the system profile, so it still
doesn't work out of the box, and it's still not obvious that you need
to install it to solve the problem. Maybe the system pinentry could be
included? Cheers, ale .~´
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQQ4aRTDkc5D704CYnMQUI+lk7e+bQUCYIHvVgAKCRAQUI+lk7e+
ba4wAJ9cGS3DBXBDW+yjWmtT/DHVBKxvOgCggZxfi4ZwFnpAU5r90gSgUdSg6Gk=
=vAIu
-----END PGP SIGNATURE-----


?