[Bug 754700] New: No default functional gpg agent in xfce
https://bugzilla.novell.com/show_bug.cgi?id=754700 https://bugzilla.novell.com/show_bug.cgi?id=754700#c0 Summary: No default functional gpg agent in xfce Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: Other OS/Version: openSUSE 12.1 Status: NEW Severity: Major Priority: P5 - None Component: Xfce AssignedTo: bnc-team-xfce@forge.provo.novell.com ReportedBy: vdziewiecki@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- I noticed this while trying to send a gpg signed e-mail from thunderbird. No functional gpg agent appears to be running by default. Steps to Reproduce: -Log in to xfce session -Launch thunderbird and try to send a gpg signed message with password-protected key. -You will probably see this error: (pinentry-gtk-2:9487): Gtk-WARNING **: cannot open display: :0.0 gpg-agent[9486]: can't connect to the PIN entry module: End of file gpg-agent[9486]: command get_passphrase failed: No pinentry -Run xhost + -Send a gpg signed message, then another one. Actual results: -Neither pinentry nor gnome-keyring dialog appears upon trying to sign e-mail. Pinentry somehow does not inherit the XAUTHORITY and XAUTHLOCALHOSTNAME variables, so it does not have access to X. -If I workaround this with xhost + , I send the first e-mail, the pinentry dialog appears, I type the password, then when I send another signed e-mail 20 seconds after the first one, it asks for the password again. Expected results: -Either pinentry or gnome-keyring dialog appears, asking for the password. -Either gpg-agent or gnome-keyring-daemon remembers the password for a given period of time. Additional information: This works perfectly with gnome-keyring, if I set the "Launch GNOME services on startup" option in "Session and Startup". In this case, gnome-keyring handles the password. However, with this option unselected (default), the gnome-keyring-daemon does not start properly, although some of it's components do, notably gnome-keyring-gpg, gnome-keyring-pkcs11, gnome-keyring-secrets, gnome-keyring-ssh, because they have .desktop files in ~/.config/autostart/. At first, I thouht these prevented gpg-agent from running, as seen in /etc/X11/xdm/sys.xsession: # No gpg-agent if a gpg session is already provided by an other agent. # if test "$usegpg" = yes -a -n "$GNOME_KEYRING_PID" ; then # gnome-keyring provides a gpg agent starting with GNOME 3 if test -d "$GNOME_KEYRING_CONTROL"; then usegpg=no fi fi But this is what I don't understand: Regardless if I disable them in "Session and Startup" or leave them enabled, both gpg-agent and gnome keyring processess exist: /usr/bin/gnome-keyring-daemon --daemonize --login gpg-agent --daemon But they don't handle the password correctly, and they somehow didn't set the variable GPG_AGENT_INFO (set | grep GPG_AGENT: empty output), which both of them should set, as seen in the output of gpg-agent --daemon or gnome-keyring-daemon: GPG_AGENT_INFO=/tmp/something Also, in case of gnome-keyring-daemon, the SSH_AUTH_SOCK variable is not set, which could cause problems too. E-mail signing also works perfectly with gpg-agent and pinentry, if I manually run gpg-agent like this: eval $(gpg-agent --daemon) && thunderbird, or if I log in to a simple session, like icewm (gpg-agent starts correctly). In this case, the pinentry dialog appears and the gpg-agent correctly remembers the password for a period of time set in ~/.gnupg/gpg-agent.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c
Vojta Dziewięcki
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c1
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c2
--- Comment #2 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c3
--- Comment #3 from Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c4
--- Comment #4 from Guido Berhörster
- XFCE does not work properly if pam-keyring starts gnome-keyring
It does, but it currently requires that you enable GNOME compatibility mode which is disabled by default. The daemon will always be started through PAM.
- Starting gnome-keyring modules from autostart desktop files makes no sense, because there is no way how to pass new system variables back to the system environment. Either all modules have to be started by PAM or session startup, or the environment has to implement magic to get new environment variables and pass it to any started application.
xfce4-session has some custom code executing "gnome-keyring-daemon --start" which read the environment variables from stdout and exports them into the session. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c5
--- Comment #5 from Guido Berhörster
And fourth possible bug: /etc/X11/xdm/sys.xsession incorrectly assumes, that gnome-keyring always handles ssh and gnupg. But these features are optional. If the environment does not implement the post-launch environment variable injection, then presence of GNOME_KEYRING_PID and absence of GPG_AGENT_PID means, that gnome-keyring-daemon runs without gnupg support.
Note that for Xfce this is currently an all-or-nothing operation either all keyring modules are initialized or none depending on whether GNOME compatibility mode is enabled since it does not support to selectively disable them as GNOME does. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c6
--- Comment #6 from Vojta Dziewięcki
The recommended gpg- and ssh-agent for Xfce is gnome-keyring, in order to make use of it you have to enable "Launch GNOME services on startup" in the Session preferences.
If it is recommended, it should definitely be enabled by default. Would that be possible, at least in 12.2?
From the point of view of a simple user, it is hard to figure out that all his/her problems with passwords can be solved by enabling this option, and the issue is quite annoying.
If you want to run gpg-agent I'd suggest you first disable "Launch GNOME services on startup" and then copy /etc/xdg/xfce4/xinitrc to $HOME/.config/xfce4/xinitrc and add "eval $(gpg-agent --daemon)" to that script.
And if someone wants to use the non-recommended gpg-agent, then he/she can do it like this, yes. But the recommended option should run out of the box.
For the problems with pinentry-gtk-2 please file a separate bug against pinentry.
I will, but after I figure out how to fix it, since I maintain pinentry myself :)
So the only issue I see here is that GNOME compatibility mode ("Launch GNOME services on startup") is not active by default.
Yes. IMHO there should also be a warning message that your keyring management won't work, if you try to disable it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c7
--- Comment #7 from Guido Berhörster
If it is recommended, it should definitely be enabled by default. Would that be
Recommended as in "Xfce doesn't have its own technology for that and this is the only implementation that can be relatively easily used".
possible, at least in 12.2? From the point of view of a simple user, it is hard to figure out that all his/her problems with passwords can be solved by enabling this option, and the issue is quite annoying.
Considering that GNOME/KDE offer this functionality out of the box I agree that's reasonable and I'll enable it for 12.2.
Yes. IMHO there should also be a warning message that your keyring management won't work, if you try to disable it.
This is actually documented, the settings dialog says "Start GNOME services, such as gnome-keyring" and it's noted in the documentation as well, see http://docs.xfce.org/xfce/xfce4-session/preferences#advanced. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c8
--- Comment #8 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c9
--- Comment #9 from Guido Berhörster
So if I understand correctly, GNOME has implemented its own way to pass environment variables to the session. So the autostart approach could work.
Yes, other session managers would need to implement the org.gnome.SessionManager through which gnome-keyring passes them to g-s-m and probably also support the X-GNOME-Autostart-Phase stuff. Not likely to happen any time soon in Xfce, although this is tracked in https://bugzilla.xfce.org/show_bug.cgi?id=8014
Other session types don't, so variables have to be set in the session initialization.
Regarding comment 5: Even if gnome-keyring-daemon serves "nothing", /etc/X11/xdm/sys.xsession still disables running of separate gnupg and ssh agents.
Right, from /etc/pam.d/common-session: session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm So if you log in with gdm, lxdm or lightdm gnome-keyring will always be started and set GNOME_KEYRING_CONTROL/GNOME_KEYRING_PID for the session although it may not be usable if GNOME compatibility mode is turned off in xfce4-session. Apart from that it is of course also plain wrong when you e.g. use gdm to log into a KDE session. Since xfce4-session or even the GNOME-only gnome-keyring autostart files are processed _after_ sys.xsession which is called from Xsession there is no way for it to know whether gnome-keyring is actually being used. So there you have two problems, gnome-keyring is initialized from PAM regardless of whether it is actually used or not and the hairball of session wrapper scripts in /etc/X11/xdm cannot really know that either. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c10
--- Comment #10 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c11
--- Comment #11 from Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=754700
https://bugzilla.novell.com/show_bug.cgi?id=754700#c13
Guido Berhörster
participants (1)
-
bugzilla_noreply@novell.com