[opensuse] gpg2 pass phrase problem.
Is there a way to get OpenSuSE's gpg2 (or I suppose it *_COULD_* be pinentry) to recognize and use a symlinked ~/gnupg dir??? And more importantly how do I get it to NEVER EVER cache the passphrase. IE I don't care if I just successfully decrypted a file using the same key from the same command shell 2 seconds ago. if I attempt to decrypt another (or even the same file again) I expect to either have to again enter the passphrase correctly, or for the decryption to fail. If it fails to ask me for my passphrase, or if the pinentry popup passphrase input box doesn't wait for input before closing, I do NOT expect gpg to decrypt the file based on input from a previous command instance. On the other hand, I do expect the pinentry input box to wait for input before closing... {See below} OK first let me say I'm a multi-Linux/multi-boot user. I boot all my installed Linux to a text login prompt on a console (I strongly dislike display managers) And use startx when/if I want to start the gui. My WM/DE of choice is E17. I have a personal data partition that I mount as a user owned partition and use a symlink ~/com so that I can use the same data files regardless of which Linux I boot, while allowing each Linux to have it's own user rc files to avoid any conflicts due to any differences in application versions. And please note that I use another symlink to have all my Linux use the same ~/gnupg directory that is also located on my personal data partition. My use of gpg is minimal in that I only ever use it to encrypt/decrypt sign or verify "ONLY 'text' files" either in a console or if X is running in either an xterm or more likely a "konsole" window. And this has worked reliably from all my installed Linux for years. Except that since gpg2 replaced the old gpg I've had issues on my openSuSE 11.3 installation. First symptom I ever noticed was when I initially log in to the console I've been getting an error that might be related to the fact that my ~/.gnupg directory is a symlink... I used gpm to paste the login/error text below. ===============snip=============== Welcome to openSUSE 11.3 "Teal" {{ 2011-09-15 * 13:21:14 }} Kernel 2.6.34.10-0.2-desktop on an x86_64 (tty1) OpenSuSEme2010 login: jtwdyp Password: Last login: Thu Sep 15 13:15:44 EDT 2011 on tty3 You have mail. Have a lot of fun... gpg-agent[4947]: can't create directory `/home/jtwdyp/.gnupg': File exists GPG_AGENT_INFO=/tmp/gpg-ZZk1JD/S.gpg-agent:4948:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-zD38np/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=4948; export SSH_AGENT_PID; gpg-agent[4948]: gpg-agent (GnuPG) 2.0.15 started JtWdyP -> /home/jtwdyp
===============snip=============== I couldn't figure out why it would complain about a directory existing that it should only ever have to create once... Especially since none of my other Linux complained. But {at the time} gpg was still working from the command line, so I didn't see it as a problem... Now however something has changed. I can't really say when it changed. As for a long time I've been spending more time in Arch Linux than OpenSuSE and, as it happens it's been a long time since I happened to have occasion to use gpg while running OpenSuSE. But when I tried to use it today it failed to prompt me for the passphrase ===============snip=============== JtWdyP -> /home/jtwdyp
gpg --output ~/com/.crossfile/.words.out --decrypt ~/com/.crossfile/.words.asc
You need a passphrase to unlock the secret key for user: "Joe(theWordy)Philbrook (JtWdyP) <jtwdyp@ttlc.net>" 1024-bit ELG key, ID 225FDC6D, created 2004-05-17 (main key ID 6C2163DE) gpg: problem with the agent: End of file gpg: encrypted with 1024-bit ELG key, ID 225FDC6D, created 2004-05-17 "Joe(theWordy)Philbrook (JtWdyP) <jtwdyp@ttlc.net>" gpg: public key decryption failed: General error gpg: decryption failed: No secret key JtWdyP -> /home/jtwdyp
===============snip=============== So I did some empirical testing and replaced the ~/.gnupg symlink with a hard copy of the the directory the symlink pointed at. And when I tried again gpg worked properly... At least I thought it did. It did work with the above command line from a konsole window under E17. At least it did the first time. I thought I was happy, except for the fact that I want all the installed Linux to use the same ~/gnupg dir to access the same keyring files etc... However When I rebooted I decided to test it some more on the way back in. I decided to test first if gpg was again working also from the console when X wasn't yet running. It did. I got a verbose passphrase prompt embedded within the console screen. It worked. it did decrypt the file. Then I ran startx, opened a konsole and ran the command again. it didn't prompt me. it simply decrypted .words.asc into a new instance of .words.out. This behavior is quite unacceptable. After several reboots I've found that it seems unstable, most times if I don't run the command from a console prior to running startx, decryption fails. (sometimes I can see the pinentry pop-up flash on the screen and disappear without waiting for input) If I use an <ctrl>+<alt>+<F-key> shortcut to get to one of the available console screens, & login to run the decryption command in a console while X is already running the console freezes up as if it was waiting for a pinentry pop-up, which of course doesn't happen. ^C gets me back to a command prompt... If on the other hand I did run the decryption command from a console while X wasn't running and typed in the correct passphrase. Then run startx and wait several minutes before running the decryption command from a terminal window the pinentry window will appear and actually wait for input. Though subsequent calls will decrypt without prompting (unless I again wait several minutes.) ARRRRRGHGH! all I want is for gpg to prompt for the passphrase every time. And for the pinentry prompt to always wait for my input before failing. ===============snip=============== Assuming the above "passphrase skipping" auto decryption and/or decryption failure is solved. I'd be mostly happy... That is I can live with not being able to use the symlink. Though it does bug me that an identical symlink works reliably with Ubuntu, PCLinuxOS, Arch, & Sabayon Linux. Especially since, if I don't use the symlink then every time I add a key etc... I'll have to remember to boot into OpenSuSE and either: rm -r ~/.gnupg/ && cp -r ~/sig/.gpg/.gnupg/ ~/.gnupg/ OR: rm -r ~/sig/.gpg/.gnupg/ && cp -r ~/.gnupg/ ~/sig/.gpg/.gnupg/ Depending on whether I'd been running OpenSuSE or not when I added the key or whatever. In which case I just hope that when I get around to remembering to do that I haven't accidentally added some keys while running OpenSuSE and added others while running any of the other Linux... Any suggestions??? -- | ~^~ ~^~ | <?> <?> Joe (theWordy) Philbrook | ^ J(tWdy)P | \___/ <<jtwdyp@ttlc.net>> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
It would appear that on Sep 16, Joe Philbrook did say:
Is there a way to get OpenSuSE's gpg2 (or I suppose it *_COULD_* be pinentry) to recognize and use a symlinked ~/gnupg dir???
And more importantly how do I get it to NEVER EVER cache the passphrase.
IE I don't care if I just successfully decrypted a file using the same key from the same command shell 2 seconds ago. if I attempt to decrypt another (or even the same file again) I expect to either have to again enter the passphrase correctly, or for the decryption to fail. If it fails to ask me for my passphrase, or if the pinentry popup passphrase input box doesn't wait for input before closing, I do NOT expect gpg to decrypt the file based on input from a previous command instance. On the other hand, I do expect the pinentry input box to wait for input before closing... {See below}
===================== snip ===================== It occurred to me that the problem might have to do with not having done a "zypper dup" in a LONG time. (usually settle for "zypper up") So I did a "zypper dup" {Which updated over 200 packages.} and then did some more empirical testing... It didn't fix anything. I'm still getting the same problems... I did happen to notice something else though. I don't know why I decided to test this but. If I boot to console login on tty1, Login, but before either running a gpg command or startx, if I use an <alt>+<F-key> shortcut to switch to another console (such as tty2) and login again, then attempt to run a gpg decryption command on the second console that I logged into (in this case tty2) When it locks up as if waiting for pinentry to return, If I again use an <alt>+<F-key> shortcut to switch back to the first console, (in this case tty1) Ill see the verbose passphrase prompt that should have been displayed on tty2... The cursor will be inside the passphrase entry box but anything typed is NOT replaced with "*" characters. That is it can be read as it's typed. AND when, if I press enter anything so typed is interpreted as a shell command... This is simply wrong! In another thread somebody pointed me at a good how-to for upgrading from 11.3 to 11.4 so I might attempt that and see if what ever fluke is causing this is limited to 11.3 If I succeed in upgrading to 11.4 and still have this problem I'm probably going to have to uninstall gpg2 because I really can't stand it's broken behavior. I don't suppose its possible to get the old gpg back? I never had trouble with that version... -- | ~^~ ~^~ | <?> <?> Joe (theWordy) Philbrook | ^ J(tWdy)P | \___/ <<jtwdyp@ttlc.net>> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
It would appear that on Sep 16, Joe(theWordy)Philbrook did say:
In another thread somebody pointed me at a good how-to for upgrading from 11.3 to 11.4 so I might attempt that and see if what ever fluke is causing this is limited to 11.3
If I succeed in upgrading to 11.4 and still have this problem I'm probably going to have to uninstall gpg2 because I really can't stand it's broken behavior. I don't suppose its possible to get the old gpg back? I never had trouble with that version...
Well the upgrade to 11.4 worked. And it seams part of the problem went away in that the passphrase prompt stopped detaching but became always embedded in the console or terminal window screen. So if it needed me to enter the passphrase it stopped blowing past without waiting for my input... The caching issue was a tough egg to crack however. It seems that the component responsible for that was gpg-agent. I had suspected as much and had previously extracted the following from man gpg-agent OPTIONS --options file Reads configuration from file instead of from the default per- user configuration file. The default configuration file is named ‘gpg-agent.conf’ and expected in the ‘.gnupg’ directory directly below the home directory of the user. And: --default-cache-ttl n Set the time a cache entry is valid to n seconds. The default is 600 seconds. But this didn't seem to work because when I created the file: ~/.gnupg/gpg-agent.conf with this line in it: --default-cache-ttl 5 gpg-agent complained about an invalid option... However I finally tripped over this in a google search: http://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html Where there was something that I feel SHOULD have been in the man document: => It may contain any valid long option; the leading two dashes may not be => entered and the option may not be abbreviated. Turns out all I need to do was to put THIS line in ~/.gnupg/gpg-agent.conf: default-cache-ttl 5 instead of: --default-cache-ttl 5 Any way, the problem, it is solved.
participants (2)
-
Joe Philbrook -
Joe(theWordy)Philbrook