Don't get the pinentry for passphrase in some contexts

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Don't get the pinentry for passphrase in some contexts

Damien Cassou
Hi,

I have the attached application below that just tries to decrypt a file
with gpg2. When the gpg-agent has an empty cache (I temporarily set
max-cache-ttl to 0 while testing), the application has different
behavior when ran from a terminal or from a Firefox add-on:

1- in the terminal, I get the pinentry application that asks me to enter
   the passphrase for the gpg key used to encrypt the file;

2- when launched from a Firefox web extension's browser action (Firefox
   itself being launched with `web-ext run` from the same terminal), I
   just get an error: "Public key decryption failed: Operation
   canceled. Decryption failed: No secret key". I'm never asked for my
   passphrase.

Others have reported the exact same problem with another web-extension
and another native application (written in Go):
https://github.com/dannyvankooten/browserpass/issues/23

I checked the environment variables and they are very much similar (diff
attached).

Do you have any clue what could be different in the two environments
that could cause gpg2 to behave differently?

I sent the same message to the dedicated mailing-list at mozilla.org:
https://mail.mozilla.org/pipermail/dev-addons/2017-July/002966.html. They
suggested I contact you.

Thank you

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

index-decrypt.txt (491 bytes) Download Attachment
log.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Don't get the pinentry for passphrase in some contexts

Damien Cassou
strace reveals the following. Does that ring a bell to anyone?

In Firefox
    read(5, "INQUIRE PINENTRY_LAUNCHED 22712\n", 1002) = 32
    write(5, "END", 3)                = 3
    write(5, "\n", 1)                 = 1
    read(5, "ERR 83886179 Operation cancelled <Pinentry>\n", 1002) = 44

In the terminal
    read(5, "INQUIRE PINENTRY_LAUNCHED 22990\n", 1002) = 32
    write(5, "END", 3)                = 3
    write(5, "\n", 1)                 = 1
    read(5, "D (5:value511...) = 543


--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Don't get the pinentry for passphrase in some contexts

Werner Koch
On Thu, 13 Jul 2017 15:08, [hidden email] said:
> strace reveals the following. Does that ring a bell to anyone?

"debug-pinentry" in gpg-agent.conf would give you more info.  Adding
also "debug ipc" will show you the communication between gpg and
gpg-agent; that is what you strace shows.  Use "log-file FILE" to set a
log file and remember to reload gpg-agent.

> In Firefox
>     read(5, "INQUIRE PINENTRY_LAUNCHED 22712\n", 1002) = 32
>     write(5, "END", 3)                = 3
>     write(5, "\n", 1)                 = 1

The agent tells gpg that a pinentry has been launched and gpg
acknowledges that ("END").

>     read(5, "ERR 83886179 Operation cancelled <Pinentry>\n", 1002) = 44

The agent tells you that the Pinentry canceled the operation.  This is
usually due to clicking the cancel button.  Some older versions of
pinentry use cancel as a catch all error from pinentry.  Modern versions
of gpg running with "-v" will print a line identifing the pinentry used
and thus reveal possible problems, for example a missing GPG_TTY
envrionment variable.

>     read(5, "D (5:value511...) = 543

This returns some data ;-)


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Don't get the pinentry for passphrase in some contexts

Damien Cassou
In reply to this post by Damien Cassou
Matthias Apitz <[hidden email]> writes:
> What do you use as pinentry exactly? I have:
>
> $ ls -l /usr/local/bin/pinentry
> lrwxr-xr-x  1 root  wheel  27 15 may.  14:04 /usr/local/bin/pinentry ->
> /usr/local/bin/pinentry-qt5
>
> and this pops up a Qt5 window for this.


For me, /usr/bin/pinentry is a 86-lines shell script that selects the
correct pinentry binary to use. In all cases, the binary used is
/usr/bin/pinentry-gnome3 (I'm on Gnome3) which is

    $ pinentry-gnome3 --version
    pinentry-gnome3 (pinentry) 0.9.7

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Don't get the pinentry for passphrase in some contexts

Damien Cassou
In reply to this post by Werner Koch
Werner Koch <[hidden email]> writes:
> "debug-pinentry" in gpg-agent.conf would give you more info.  Adding
> also "debug ipc" will show you the communication between gpg and
> gpg-agent; that is what you strace shows.  Use "log-file FILE" to set a
> log file and remember to reload gpg-agent.


I tried this configuration

    enable-ssh-support
    log-file /home/cassou/.gnupg/gpg-agent.log
    debug-level guru
    max-cache-ttl 0
    debug-pinentry 1
    debug 1024

The generated log files in both cases are quite similar but show the
differences below. I put _XXX_ to hide some values that are the same in
both outputs and _YYY_/_ZZZ_ when values differ.

--- firefox.log 2017-07-19 15:20:17.988440200 +0200
+++ terminal.log 2017-07-19 15:20:24.128297587 +0200
@@ -2,9 +2,9 @@
 DBG: chan_6 -> OK Pleased to meet you, process _PID_
 DBG: chan_6 <- RESET
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION ttyname=/dev/pts/2
+DBG: chan_6 <- OPTION ttyname=/dev/pts/0
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION ttytype=dumb
+DBG: chan_6 <- OPTION ttytype=xterm-256color
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION display=:0
 DBG: chan_6 -> OK
@@ -16,8 +16,6 @@
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION putenv=QT_IM_MODULE=ibus
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION putenv=INSIDE_EMACS=25.2.1,comint
-DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION lc-ctype=en_US.UTF-8
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION lc-messages=en_US.UTF-8
@@ -46,12 +44,11 @@
 DBG: chan_6 <- PKDECRYPT
 DBG: chan_6 -> S INQUIRE_MAXLEN 4096
 DBG: chan_6 -> INQUIRE CIPHERTEXT
-DBG: chan_6 <- [ 44 ... ...(_YYY_ byte(s) skipped) ]
+DBG: chan_6 <- [ 44 ... ...(_ZZZ_ byte(s) skipped) ]
 DBG: chan_6 <- END
 DBG: keygrip: _XXX_
-DBG: cipher:  _XXX_ _YYY_ _XXX_
+DBG: cipher:  _XXX_ _ZZZ_ _XXX_
 DBG: agent_get_cache '_XXX_' (mode 2) ...
-DBG:   expired '_XXX_' (0s after creation)
 DBG: ... miss
 DBG: agent_get_cache '_XXX_' (mode 2) (stored cache key) ...
 DBG: ... miss
@@ -59,10 +56,5 @@
 DBG: connection to PIN entry established
 DBG: chan_6 -> INQUIRE PINENTRY_LAUNCHED _PID_
 DBG: chan_6 <- END
-DBG: error calling pinentry: Operation cancelled <Pinentry>
-failed to unprotect the secret key: Operation cancelled
-failed to read the secret key
-command 'PKDECRYPT' failed: Operation cancelled <Pinentry>
-DBG: chan_6 -> ERR 83886179 Operation cancelled <Pinentry>
-DBG: chan_6 <- [eof]
-handler 0x7f8e1fa24700 for fd 6 terminated
+DBG: agent_put_cache 'XXXXXX' (mode 2) requested ttl=0
+DBG: rsa_decrypt data:+XXXXX


>>     read(5, "ERR 83886179 Operation cancelled <Pinentry>\n", 1002) = 44
>
> The agent tells you that the Pinentry canceled the operation.  This is
> usually due to clicking the cancel button.  Some older versions of
> pinentry use cancel as a catch all error from pinentry.  Modern versions
> of gpg running with "-v" will print a line identifing the pinentry used
> and thus reveal possible problems, for example a missing GPG_TTY
> envrionment variable.


I have 2.1.13 and only got that in Firefox console:

--------------------------stdout:

--------------------------stderr:
gpg: public key is XXX
gpg: using subkey XXX instead of primary key YYY
gpg: encrypted with 4096-bit RSA key, ID XXX, created 2015-04-17
      "Damien Cassou <[hidden email]>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key



Do you have any more clue?

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...