[Bug 619295] New: gpg password entry does not work on command line without X
http://bugzilla.novell.com/show_bug.cgi?id=619295 http://bugzilla.novell.com/show_bug.cgi?id=619295#c0 Summary: gpg password entry does not work on command line without X Classification: openSUSE Product: openSUSE 11.3 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: andi-nbz@firstfloor.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.4) Gecko/20100622 Fedora/3.6.4-1.fc13 Firefox/3.6.4 Trying to decrypt a file on a ssh session without X: %gpg < file.gpg pinentry-qt: no LC_CTYPE known - assuming UTF-8 pinentry-qt: no LC_CTYPE known - assuming UTF-8 pinentry-qt: no LC_CTYPE known - assuming UTF-8 pinentry-qt: no LC_CTYPE known - assuming UTF-8 First the stair case looks ugly and then I cannot actually enter a password. Only Ctrl-C does something. I have not found a workaround for this problem, gpg is basically unusable. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c1
--- Comment #1 from Andi N Kleen
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c2
--- Comment #2 from Andi N Kleen
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c3
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c4
--- Comment #4 from Andi N Kleen
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c5
Petr Uzel
ok looking closer it seems the fallback logic in /usr/bin/pinentry is simply broken.
Actually it is not - the reason is that all pinentry-{qt,qt4,gtk-2} fall back to built-in curses interface if DISPLAY is not set (see 'info pinentry'). OTOH, with your patch the fallback mechanism is not needed and also the script is more 'clear', so I'll push it.
this fixes the fallback logic for no $DISPLAY, but unfortunately pinentry-curses still doesn't work
Could you please try to 'export GPG_TTY=$(tty)' and eventually restart gpg-agent if it has been running before? (man gpg-agent) TIA -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c6
--- Comment #6 from Andi N Kleen
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c7
Petr Uzel
With GPG_TTY set the curses entry works thanks. So could just set that in the pinentry script?
Setting it in the pinentry script won't work - the script is executed without terminal connected to the stdin. IMHO the solution is to put the 'export GPG_TTY=$(tty)' into some of the /etc/*{bash,profile}* - Rudi, AFAIK you are the master of these bash initialization files - could you please put the line to where it belongs (my guess is /etc/bash.bashrc) ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c8
--- Comment #8 from Andi N Kleen
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c9
--- Comment #9 from Petr Uzel
Hmm I guess /dev/tty could work instead
Unfortunately not. Explanation by gnupg developer: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001483.html -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c11
Donavan Pantke
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c12
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c13
--- Comment #13 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c14
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c15
Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c16
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c17
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c18
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c19
Petr Uzel
This seems to affect 11.3 as well (and is currently unfixed).
So, could you please be more specific wrt to what's unfixed?
Affects pinentry-curses; $DISPLAY can be set or not, it's pretty much independent of X.
Bug #647655 maybe? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c20
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c21
--- Comment #21 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c22
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c23
Petr Uzel
The thing is, this only happens with git. `gpg -ab` for signing files is fine, it displays the curses interface.
Please try: export GPG_TTY=$(tty) git tag -m 'foo' foo -s It should now correctly display curses interface, which is embedded into pinentry-gtk2 (by this reason, /usr/bin/pinentry selects pinentry-gtk/qt? even if DISPLAY is not set). The problem is that curses interface can not work without stdin being connected to terminal==>gpg -ab works while git tag does not. See man gpg-agent for details about GPG_TTY. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c24
--- Comment #24 from Petr Uzel
IMHO the solution is to put the 'export GPG_TTY=$(tty)' into some of the /etc/*{bash,profile}*
Submitted to Factory sr#55011 (into /etc/bash.bashrc) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c25
Jan Engelhardt
See man gpg-agent for details about GPG_TTY.
What details? It does not say anything useful about it: "You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations: GPG_TTY=$(tty) export GPG_TTY It is important that this environment variable always reflects the output of the tty command." That breaks if you run xterm or screen without invoking a login shell. Why the heck does this need to be a hard-to-control environment variable at all? Why can't gpg — which is inevidently invoked — call tty at program start itself (and thus always get the right value, even if an xterm-started-from-an-xterm is used)? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c26
Petr Uzel
That breaks if you run xterm or screen without invoking a login shell.
Does it? If you 'export GPG_TTY=$(tty)' in ~/.bashrc, it is sourced every time the interactive shell is run. What do I miss?
Why the heck does this need to be a hard-to-control environment variable at all? Why can't gpg — which is inevidently invoked — call tty at program start itself (and thus always get the right value, even if an xterm-started-from-an-xterm is used)?
I think gpg does exactly this, if its stdin is connected to terminal. But if it isn't (like with the git tag case), how would you find out the tty? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c27
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c28
Petr Uzel
bashrc yes (bash_profile, no)
It is now in /etc/bash.bashrc ... - but then again, that only addresses bash, not
the other shells.
.. as well as in /etc/csh.cshrc
This is another point why the gpg program should run tty. If upstream does not want to do that change, make /usr/bin/gpg a script similar to what is done with /usr/bin/pinentry and run in it:
#!/bin/sh
GPG_TTY=$(tty) exec /usr/bin/gpg-real "$@";
That should take care of non-bash and login-not-login — and even bash --norc — situations.
But it still won't help if the "gpg script" is run with stdin redirected (without the redirection, GPG_TTY is not needed). So this is no better. I understand you don't like it, but I really don't see any better solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c29
--- Comment #29 from Jan Engelhardt
with stdin redirected
In that case, it should simply be GPG_TTY=/dev/tty. This is what ssh and so on do anyway, whether their stdin is redirected or not. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c30
--- Comment #30 from Andi N Kleen
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c31
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c32
Petr Uzel
In that case, it should simply be GPG_TTY=/dev/tty. This is what ssh and so on do anyway, whether their stdin is redirected or not.
I don't know how is it with ssh, but this will not work with gpg & standalone gpg-agent. In short: Gpg would instruct gpg-agent to use /dev/tty, gpg-agent passes this along to pinentry. /dev/tty is synonym for controlling terminal of the process. gpg-agent does not have controlling terminal -> pinentry does not have controlling terminal. /dev/tty does not work. Long version: http://lists.gnupg.org/pipermail/gnupg-users/2003-July/019166.html http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001483.html http://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c33
--- Comment #33 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=619295
https://bugzilla.novell.com/show_bug.cgi?id=619295#c34
--- Comment #34 from Petr Uzel
So how do we find the ctty of a process without resorting to ugly hacks like parsing `ps` output? I could think of gpg opening /dev/tty and sending the fd over the unix socket to gpg-agent (SCM_RIGHTS).
This is interesting idea. However, since gpg, gpg-agent and pinentry (and seahorse) communicate via the assuan protocol (implemented in libassuan), this would require significant changes in the assuan protocol/library. Therefore, if you want to push this idea forward, I suggest to do so on gnupg-devel mailing list. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619295
http://bugzilla.novell.com/show_bug.cgi?id=619295#c35
--- Comment #35 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com