[opensuse] Pinentry problem
I have this code snippet in my ~/.bash_profile keychain --agents "ssh,gpg" id_rsa 927D45FB [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && \ source $HOME/.keychain/$HOSTNAME-sh [[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && \ source $HOME/.keychain/$HOSTNAME-sh-gpg Since logging in with KDM didn't seem to invoke that I duplicated it to ~/.xinitrc All went well with 11.0, 11.1 and initially with 11.2 The came some upgrade or combination with qt, gtk or whatever. Things broke. The login hung. I was no longer getting the prompt to the screen. So I hot-keyed to a tty and logged in there. It hung. I ctrl-C'd, then did a 'ps -ef' and found there was a 'pinentry' process attached to the X-window, but not visible. I logged out, logged in again, and when the tty hung hot-keyed to another tty and logged in as root, which doesn't have that code. Doing a 'ps' there showed there was a 'pinentry' hung on the tty as well. It seems somewhere in the updates the pinentry code, or perhaps the gtk or qt code it relies on, has changed. Perhaps there needs to be a redirction. # rpm -qi pinentry Name : pinentry Relocations: (not relocatable) Version : 0.7.6 Vendor: openSUSE Release : 5.5 Build Date: Tue 20 Oct 2009 04:49:01 AM EDT Install Date: Tue 09 Mar 2010 09:26:00 AM EST Build Host: build24 Group : Productivity/Other Source RPM: pinentry-0.7.6-5.5.src.rpm Size : 140035 License: GPL v2 or later Signature : RSA/8, Tue 20 Oct 2009 04:49:30 AM EDT, Key ID b88b2fd43dbdc284 Packager : http://bugs.opensuse.org URL : http://www.gnupg.org/aegypten/ Summary : Collection of Simple PIN or Passphrase Entry Dialogs Description : This is a collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol as described by the Aegypten project. Authors: -------- Robert Bihlmeyer <robbe@orcus.priv.at> Werner Koch, g10 Code GmbH <wk@gnupg.org> Steffen Hansen, Klarälvdalens Datakonsult AB <steffen@klaralvdalens-datakonsult.se> Marcus Brinkmann, g10 Code GmbH <marcus@g10code.com> Distribution: openSUSE 11.2 # rpm -qa| grep pinentry pinentry-qt-0.7.6-5.5.i586 pinentry-gtk2-0.7.6-5.5.i586 pinentry-0.7.6-5.5.i586 pinentry-qt4-0.7.6-5.5.i586 Now that seems rather odd. Can anyone help? -- Definitions are temporary verbalizations of concepts, and concepts -- particularly difficult concepts -- are usually revised repeatedly as ourknowledge and understanding grows. -- Ernst Mayr -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, On Tue, Mar 16, 2010 at 09:31:19PM -0400, Anton Aylward wrote:
I have this code snippet in my ~/.bash_profile
keychain --agents "ssh,gpg" id_rsa 927D45FB [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && \ source $HOME/.keychain/$HOSTNAME-sh [[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && \ source $HOME/.keychain/$HOSTNAME-sh-gpg
Since logging in with KDM didn't seem to invoke that I duplicated it to ~/.xinitrc
All went well with 11.0, 11.1 and initially with 11.2 The came some upgrade or combination with qt, gtk or whatever.
Things broke. The login hung. I was no longer getting the prompt to the screen. [...]
I can reproduce that, as well as other people: https://bugs.g10code.com/gnupg/issue1199 http://bugs.gentoo.org/203871 I don't know why it does not work, but I'll look into it. Petr -- Petr Uzel, openSUSE Boosters Team IRC: ptr_uzl @ freenode
On Wed, Mar 17, 2010 at 10:49:20AM +0100, Petr Uzel wrote:
Hi,
On Tue, Mar 16, 2010 at 09:31:19PM -0400, Anton Aylward wrote:
I have this code snippet in my ~/.bash_profile
keychain --agents "ssh,gpg" id_rsa 927D45FB [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && \ source $HOME/.keychain/$HOSTNAME-sh [[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && \ source $HOME/.keychain/$HOSTNAME-sh-gpg
Since logging in with KDM didn't seem to invoke that I duplicated it to ~/.xinitrc
All went well with 11.0, 11.1 and initially with 11.2 The came some upgrade or combination with qt, gtk or whatever.
Things broke. The login hung. I was no longer getting the prompt to the screen. [...]
I can reproduce that, as well as other people: https://bugs.g10code.com/gnupg/issue1199 http://bugs.gentoo.org/203871
I don't know why it does not work, but I'll look into it.
Tried gpg-2.0.9 -> it started to work. Switched back to gpg-2.0.12 -> it still works, can not reproduce anymore. Confused.... Petr -- Petr Uzel, openSUSE Boosters Team IRC: ptr_uzl @ freenode
Petr Uzel said the following on 03/17/2010 05:49 AM:
[...]
Things broke. The login hung. I was no longer getting the prompt to the screen. [...]
I can reproduce that, as well as other people: https://bugs.g10code.com/gnupg/issue1199 http://bugs.gentoo.org/203871
I don't know why it does not work, but I'll look into it.
The first URL not only describes the bug but the coe in the shell script for keychain says: # save LC_ALL so that pinentry-curses works right. This has always worked # correctly for me but peper and kloeri had problems with it. Yes its the pinenetry called by gpg which is the problem. The code for gpg calls /usr/bin/pinentry which is a shell script. I *think* it should call pinentry-curses or the I removed pinentry-gtk-2 with no effect Running 'sh -x /usr/bin/pinentry' from the tty it detects that there is a running KDE eslwhere and tries to execute /usr/bin/pinentry-qt4 That chain of if/elseif is a but confusing and unclear. If -tq is installed then it will be use REGARDLESS of whether KDE is running or not. As a result -curses can never be selected. That sssems to me to be one bug. Well that's ONE bug! -- Let us never forget that government is ourselves and not an alien power over us. The ultimate rulers of our democracy are not a President and senators and congressmen and government officials, but the voters of this country.” -- Franklin D. Roosevelt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Mar 17, 2010 at 09:23:40AM -0400, Anton Aylward wrote:
Petr Uzel said the following on 03/17/2010 05:49 AM:
[...]
Things broke. The login hung. I was no longer getting the prompt to the screen. [...]
I can reproduce that, as well as other people: https://bugs.g10code.com/gnupg/issue1199 http://bugs.gentoo.org/203871
I don't know why it does not work, but I'll look into it.
The first URL not only describes the bug but the coe in the shell script for keychain says:
# save LC_ALL so that pinentry-curses works right. This has always worked # correctly for me but peper and kloeri had problems with it.
Yes its the pinenetry called by gpg which is the problem.
pinentry is not called directly by gpg, but by gpg-agent.
The code for gpg calls /usr/bin/pinentry which is a shell script.
Yes, that's how it works in suse.
I *think* it should call pinentry-curses or the
I removed pinentry-gtk-2 with no effect
You can override the default pinentry by setting pinentry-program /usr/bin/pinentry-curses in ~/.gnupg/gpg-agent.conf However, setting that to pinentry-curses does not seem to help.
Running 'sh -x /usr/bin/pinentry' from the tty it detects that there is a running KDE eslwhere and tries to execute /usr/bin/pinentry-qt4
That chain of if/elseif is a but confusing and unclear.
True, but do you know any other way how gpg-agent could determine which pinentry to run?
If -tq is installed then it will be use REGARDLESS of whether KDE is running or not. As a result -curses can never be selected.
Graphical pinentry's have precedence over pinentry-curses. If DISPLAY is not set, then pinentry-{qt,gtk-2} runs pinentry-curses instead. If you don't like this behavior, you can modify gpg-agent.conf as mentioned above. The problem seems to be that keychain runs gpg with empty environment and gpg-agent (for some reason) can not handle it. As a workaround, you can apply this patch to /usr/bin/keychain: @@ -1039,7 +1039,7 @@ for glm_k in "$@"; do # Check if this key is known to the agent. Don't know another way... - if echo | env -i PATH="$PATH" GPG_AGENT_INFO="$GPG_AGENT_INFO" \ + if echo | env PATH="$PATH" GPG_AGENT_INFO="$GPG_AGENT_INFO" \ gpg --no-options --use-agent --no-tty --sign --local-user "$glm_k" -o- >/dev/null 2>&1; then # already know about this key mesg "Known gpg key: ${BLUE}${glm_k}${OFF}" Please note that this may have some nasty effects, so please use at your own risk (if you decide to give it a try, please let me know if that resolves the issue for you). I'll try to find better solution. Petr -- Petr Uzel, openSUSE Boosters Team IRC: ptr_uzl @ freenode
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010-03-17 16:01, Petr Uzel wrote:
On Wed, Mar 17, 2010 at 09:23:40AM -0400, Anton Aylward wrote:
Petr Uzel said the following on 03/17/2010 05:49 AM:
[...]
Things broke. The login hung. I was no longer getting the prompt to the screen. [...]
I can reproduce that, as well as other people: https://bugs.g10code.com/gnupg/issue1199 http://bugs.gentoo.org/203871
I don't know why it does not work, but I'll look into it.
The first URL not only describes the bug but the coe in the shell script for keychain says:
# save LC_ALL so that pinentry-curses works right. This has always worked # correctly for me but peper and kloeri had problems with it.
Yes its the pinenetry called by gpg which is the problem.
pinentry is not called directly by gpg, but by gpg-agent.
By the way, this reminds me that in oS 11.0, when pinentry is called (or whatever) from Alpine, while the graphical dialog shows, cpu usage goes to the roof, 100%. As I don't use Alpine in this 11.2 install, I don't know if the problem remains. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iF4EAREIAAYFAkug9HIACgkQja8UbcUWM1yyEgD+MqHGIjgtFEM9dijEgwCPPYEo Gf1NjZuWfreWkWsYb5UBAIQPW0tZtqfSD8DVj99JIx4AT88yadK/wEm2+ldsh9zr =5Nu/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Petr Uzel said the following on 03/17/2010 11:01 AM:
Running 'sh -x /usr/bin/pinentry' from the tty it detects that there is a running KDE eslwhere and tries to execute /usr/bin/pinentry-qt4
That chain of if/elseif is a but confusing and unclear.
True, but do you know any other way how gpg-agent could determine which pinentry to run?
If -tq is installed then it will be use REGARDLESS of whether KDE is running or not. As a result -curses can never be selected.
Graphical pinentry's have precedence over pinentry-curses. If DISPLAY is not set, then pinentry-{qt,gtk-2} runs pinentry-curses instead. If you don't like this behavior, you can modify gpg-agent.conf as mentioned above.
That is not the case.
From tty2 I ran 'sh - /usr/bin/pinentry' I recorded it with 'script' Sadly, "who am i" doens't seem to work within script, so you'll have to take my word that this was on tty2
The result is: Script started on Wed 17 Mar 2010 11:49:22 AM EDT anton@BigBoy:~/tmp> anton@BigBoy:~/tmp> unset DISPLAY anton@BigBoy:~/tmp> sh -x /usr/bin/pinentry + kde_running= + '[' -n '' ']' + '[' -n '' ']' + arg= + display= + '[' -n '' ']' + '[' -n '' -a x = 4x -a -f /usr/bin/pinentry-qt4 ']' + '[' -n '' -a -f /usr/bin/pinentry-qt ']' + '[' -f /usr/bin/pinentry-gtk-2 ']' + export PINENTRY_BINARY=/usr/bin/pinentry-gtk-2 + PINENTRY_BINARY=/usr/bin/pinentry-gtk-2 + exec /usr/bin/pinentry-gtk-2 OK Your orders please ^C anton@BigBoy:~/tmp> exit Script done on Wed 17 Mar 2010 11:50:02 AM EDT That's what I eamn about the if/elseif chain being wrong. That code segment reads # otherwise test if pinentry-gtk-2 is installed elif [ -f /usr/bin/pinentry-gtk-2 ] then export PINENTRY_BINARY="/usr/bin/pinentry-gtk-2" # otherwise test if pinentry-qt4 exists although KDE is not detected elif [ -f /usr/bin/pinentry-qt4 ] then export PINENTRY_BINARY="/usr/bin/pinentry-qt4" # otherwise test if pinentry-qt exists although KDE is not detected elif [ -f /usr/bin/pinentry-qt ] then export PINENTRY_BINARY="/usr/bin/pinentry-qt" # pinentry-curses is installed by default else export PINENTRY_BINARY="/usr/bin/pinentry-curses" fi So if -gtk-2 or -qt4 or -qt exist they well be used EVEN IF KDE IS NOT DETECTED. I think this is WRONG ! The test for KDE only happens if DISPLAY is set. So what about other window managers? -- "The man who does not read good books has no advantage over the man who can't read them." --Mark Twain -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Anton Aylward -
Carlos E. R. -
Petr Uzel