#pinentry

GPG2 and greater REQUIRE the use of gpg-agent and pinentry according to the excellent Arch wiki. In addition it seems that since GPG 2.1 the gpg-agent is autostarted. However this particular error was encountered with GPG-2.0:

With GnuPG 2.1 the need of GPG_AGENT_INFO has been completely removed and the variable is ignored. Instead a fixed Unix domain socket named S.gpg-agent in the GnuPG home directory (by default ~/.gnupg) is used. The agent is also started on demand by all tools requiring services from the agent.

The obvious cause of the error below is, as it states, that the gpg-agent is not running. However, I wish to use gnome-keyring-daemon and seahorse for this instead. Why is the keyring not doing the job it is assigned (it is started early via PAM). And, in addition, I can succesfully decrypt the text after entering the passphrase to pinentry-gtk-2. So, it is "working", but I am interested in: 1) what GTK2 is up to behind the scenes: 2) Does this set up of gpg-agent coupled with gtk-pinentry increase or decrease security?; 3) What is happening when it errors out like this?; 4) Are gnome-keyring and seahorse insecure compared to gpg-agent?

I will need to backtrace and see exactly what is being opened, but for the moment, it is at least ugly looking. Here is what happens:

$ gpg --decrypt something.asc

You need a passphrase to unlock the secret key for user: "El Mail " 2048-bit ELG key, ID 8DFE455, created 2011-04-02 (main key ID 5FFFBC3)

The PINentry dialog box appears and the passphrase is entered.

can't connect to `/home/myuser/.gnupg/S.gpg-agent': No such file or directory

So, obviously this is the interesting part. Is gpg-agent really not running? Apparently not, or at least the socket is not present:

$ gpg-agent gpg-agent[7600]: can't connect to `/home/ush/.gnupg/S.gpg-agent': No such file or directory gpg-agent: no gpg-agent running in this session

Anyway, here is the rest of the error that appeared during the session, just for reference. Note that I go ahead and enter the pin/passphrase and can decrypt the text:

(pinentry-gtk-2:6451): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable' gpg: encrypted with 2048-bit ELG key, ID 8DFE455, created 2011-04-02 "El Mail " Here is my succesfully decrypted text!

OK. This looks a bit unsettling. The point of the pinentry program is to never store the passphrases in memory or tempfiles or anywhwere else they could leak. So, it is important to figure out why this is reporting the error. First of all what versions of the software:

$ pinentry-gtk pinentry-gtk pinentry-gtk-2

pinentry-gtk-2 --version pinentry-gtk2 0.7.6

$ rpm -qif `which pinentry-gtk-2`

Name : pinentry-gtk Relocations: (not relocatable) Version : 0.7.6 Vendor: CentOS Release : 6.el6 Build Date: Fri 23 Sep 2011 09:22:05 AM EDT Install Date: Fri 06 Sep 2013 10:26:16 AM EDT Build Host: c6b18n1.dev.centos.org Group : Applications/System Source RPM: pinentry-0.7.6-6.el6.src.rpm Size : 103896 License: GPLv2+ Signature : RSA/SHA1, Mon 26 Sep 2011 12:23:37 AM EDT, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem URL : http://www.gnupg.org/aegypten/ Summary : Passphrase/PIN entry dialog based on GTK+ Description : Pinentry is a collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol as described by the aegypten project; see http://www.gnupg.org/aegypten/ for details. This package contains the GTK GUI based version of the PIN entry dialog.

$ gpg --version

gpg (GnuPG) 2.0.14 libgcrypt 1.4.5

So, what is running, if gpg-agent is not? When I strace the process I only see gpg trying to open gpg-agent, and then when that fails, seemingly requesting pinentry itself. So, apparently the separate pinentry packages I have installed are not needed?

This man entry on gpg-agent claims it should be started from one of .xession, .bash_profile or .profile.

Running

$ gpg-agent --daemon --use-standard-socket

creates a socket in

~/.gnupg/S.XXXXX

and now the decryption runs without the error reported above. So, obviously I have not had seahorse set up correctly for this.

How to configure gpg to enter passphrase only once per session ?

Reblogging : Because the following has made my life — at the console, and beyond — a lot easier. ;-)

Install gpg-agent and pinentry program :

sudo apt-get install gnupg-agent pinentry-curses

Add the lines below to

~/.profile.

Any POSIX-confirming shell should include this file.

# Invoke GnuPG-Agent the first time we login. # Does `~/.gpg-agent-info' exist and points to gpg-agent process accepting signals? if test -f $HOME/.gpg-agent-info && \ kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info | cut -c 16-` else # No, gpg-agent not available; start gpg-agent eval `gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info` fi export GPG_TTY=`tty` export GPG_AGENT_INFO

This little script will be activated when you login. If the agent is not running, it will be started. When the agent is started, it shows how to set environment variables in order to connect to it. The script saves these values in ~/.gpg-agent-info, so that when you start another login session the script can setup the variables correctly and thus use the agent.

You will only have to enter your passphrase once per boot. The agent will store your keys in memory, so you don't have to enter the passphrase again.

Target : Self.

PS : Often, while I’m chasing for solutions — to this, or that problem — I “ forget ” to make notes. Yes — it’s a bad habit — I know. Point being : Me being focused, on fixing what lies in front of me. Which after all, is what I wanted to do.