bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 3299 bytes --]

Hi,

Since upgrading pinentry from 0.9.7 to 1.0.0, I've noticed some strange
behavior.  In GNOME only, when gpg tries to access my secret key, the
attempt fails without prompting me for my passphrase.  For example, it
fails like this:

--8<---------------cut here---------------start------------->8---
[0] marusich@garuda:~
$ echo hello > /tmp/message
[0] marusich@garuda:~
$ gpg --sign /tmp/message 
gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled
[2] marusich@garuda:~
$ 
--8<---------------cut here---------------end--------------->8---

No prompt appears, GUI or otherwise.  However, if I repeat the "gpg
--sign" command many times, eventually a GUI does appear which asks me
for a password.  In that case, everything works just fine.  But about
90-95% of the time, the attempt just fails like above, without showing
me any prompt.

This problem is not limited to my manual command-line invocation.  The
same kind of issue also occurs when emacs (the graphical version,
running in GNOME) tries to automatically decrypt encrypted files (e.g.,
when gnus needs to read my ~/.authinfo.gpg file to connect to an email
server).  Normally, when emacs needs to decrypt a file like this, a new
window pops up to ask me for my passphrase, but because of this issue,
the decryption fails, without showing me a prompt, for a similar reason:

--8<---------------cut here---------------start------------->8---
Error while decrypting with "gpg":

gpg: encrypted with 4096-bit RSA key, ID 0FE3DE4943560F06, created 2016-02-19
      "Chris Marusich <cmmarusich@gmail.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
--8<---------------cut here---------------end--------------->8---

I suspect these are symptoms of the same issue.

My ~/.gnupg/gpg-agent.conf contains the following single line:

 pinentry-program /home/marusich/.guix-profile/bin/pinentry

This issue does NOT occur in Xfce.  This issue does NOT occur when I run
the "gpg --sign" command in a virtual terminal (e.g., by pressing
Control+Alt+F2 to switch to a virtual terminal).  In GNOME, this issue
DOES occur regardless of which "pinentry" program I specify in my
~/.gnupg/gpg-agent.conf file (the same issue occurs with pinentry,
pinentry-curses, pinentry-gtk-2, and pinentry-tty).

I've run both "guix pull" and "sudo guix pull" successfully in the last
few days, and I've successfully reconfigured my system since then, so
I'm using the most recent Guix software.  I'm using GuixSD.

Since I've added and modified many things to my home directory, I tried
creating a test user with a fresh home directory to rule out my local
customizations as a cause.  I was able to reproduce the issue using a
fresh test user in GNOME after installing gnupg and pinentry via "guix
package -i gnupg pinentry".  The only changes I made to the test user's
home directory were (1) I added the "export" statements to its ~/.bashrc
file which were suggested by Guix after installing those two packages,
and (2) I added a ~/.gnupg/gpg-agent.conf which uses the pinentry that
got installed into the test user's profile.  So, I expect that other
users of GuixSD can probably reproduce this issue.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Ludovic Courtès]

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Since upgrading pinentry from 0.9.7 to 1.0.0, I've noticed some strange
> behavior.  In GNOME only, when gpg tries to access my secret key, the
> attempt fails without prompting me for my passphrase.  For example, it
> fails like this:
>
> [0] marusich@garuda:~
> $ echo hello > /tmp/message
> [0] marusich@garuda:~
> $ gpg --sign /tmp/message 
> gpg: signing failed: Operation cancelled
> gpg: signing failed: Operation cancelled
> [2] marusich@garuda:~
> $ 

For the record, I’ve never experienced this problem (that’s outside of
GNOME) with:

--8<---------------cut here---------------start------------->8---
$ guix package -I '(gnupg|pinentry)'
pinentry	1.0.0	out	/gnu/store/57dg2i4backl38bw4ipcsdg1b7df9j64-pinentry-1.0.0
gnupg	2.1.16	out	/gnu/store/fz44xcp1iksikjvcc472bgsr9hs8ygkq-gnupg-2.1.16
--8<---------------cut here---------------end--------------->8---

ISTR that GNOME has a hack to force its own Pinentry tool.  Could it be
what’s at fault?

Thanks,
Ludo’.

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2766 bytes --]

Hi,

Previously, I wrote:

> In GNOME, this issue DOES occur regardless of which "pinentry" program
> I specify in my ~/.gnupg/gpg-agent.conf file (the same issue occurs
> with pinentry, pinentry-curses, pinentry-gtk-2, and pinentry-tty).

I don't think this is actually true.  I believe I made an error when
testing the different pinentry programs.  I believe I forgot to restart
the gpg-agent, which would explain why simply changing the contents of
the gpg-agent.conf file did not seem to fix the issue.

I did another test just now.  I tried changing the contents of the
gpg-agent.conf file, and I made sure to kill the gpg-agent process after
each change, so that gpg-agent would reload the file for sure.  When I
did this, I found that only pinentry-gtk-2 exhibits this issue (note
that pinentry is a symlink to pinentry-gtk-2).  In particular,
pinentry-curses, pinentry-tty, and pinentry-gnome3 all worked for me.

Is anyone able to reproduce the issue using pinentry-gtk-2?  The
following steps should reproduce the issue:

* Log into a GNOME session on (a recently updated) GuixSD.

* In $HOME/.gnupg/gpg-agent.conf, set pinentry-program to
  pinentry-gtk-2, for example:

    pinentry-program /home/marusich/.guix-profile/bin/pinentry-gtk-2

* If the gpg-agent process is running, kill it to make sure it loads the
  new gpg-agent.conf.

* Try to sign a message, e.g.:

    echo hello > /tmp/message
    gpg --sign /tmp/message

You should get the error very frequently.

ludo@gnu.org (Ludovic Courtès) writes:

> For the record, I’ve never experienced this problem (that’s outside of
> GNOME) with:

For me, this problem doesn't happen outside of GNOME.

> $ guix package -I '(gnupg|pinentry)'
> pinentry	1.0.0	out	/gnu/store/57dg2i4backl38bw4ipcsdg1b7df9j64-pinentry-1.0.0
> gnupg	2.1.16	out	/gnu/store/fz44xcp1iksikjvcc472bgsr9hs8ygkq-gnupg-2.1.16

I'm using these versions:

  $ guix package -I '(gnupg|pinentry)'
  gnupg	2.1.17	out	/gnu/store/mcsi9rp06q0xxds4mwdgh1p16bifjxvk-gnupg-2.1.17
  pinentry-gnome3	1.0.0	out	/gnu/store/4kq8isyz7k8y64l7mjy90y4rjv7mh9x8-pinentry-gnome3-1.0.0


The problem also occurred when using the "pinentry" package (instead of
the "pinentry-gnome3" package):

  /gnu/store/b72r4rgr9irqy5zvb8i9hmrgrbb88ndf-pinentry-1.0.0

> ISTR that GNOME has a hack to force its own Pinentry tool.  Could it be
> what’s at fault?

Where can I find more info about this hack?  I did some Internet
searches, but I couldn't find anything specific.

This bug is no longer blocking me, since I can use pinentry-gnome3, but
I'm still concerned about the fact that pinentry-gtk-2 fails very
frequently, even though it didn't on the previous version.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Daniel Pimentel]

I used this:

gpg-agent --daemon --use-standard-socket --pinentry-program 
/home/dani/.guix-profile/bin/pinentry-curses

It's works for me. More in my site: https://d4n1.org/gnupg.html

Thanks,

---
Daniel Pimentel (d4n1)

On 2017-01-20 05:14, Chris Marusich wrote:
> Hi,
> 
> Previously, I wrote:
> 
>> In GNOME, this issue DOES occur regardless of which "pinentry" program
>> I specify in my ~/.gnupg/gpg-agent.conf file (the same issue occurs
>> with pinentry, pinentry-curses, pinentry-gtk-2, and pinentry-tty).
> 
> I don't think this is actually true.  I believe I made an error when
> testing the different pinentry programs.  I believe I forgot to restart
> the gpg-agent, which would explain why simply changing the contents of
> the gpg-agent.conf file did not seem to fix the issue.
> 
> I did another test just now.  I tried changing the contents of the
> gpg-agent.conf file, and I made sure to kill the gpg-agent process 
> after
> each change, so that gpg-agent would reload the file for sure.  When I
> did this, I found that only pinentry-gtk-2 exhibits this issue (note
> that pinentry is a symlink to pinentry-gtk-2).  In particular,
> pinentry-curses, pinentry-tty, and pinentry-gnome3 all worked for me.
> 
> Is anyone able to reproduce the issue using pinentry-gtk-2?  The
> following steps should reproduce the issue:
> 
> * Log into a GNOME session on (a recently updated) GuixSD.
> 
> * In $HOME/.gnupg/gpg-agent.conf, set pinentry-program to
>   pinentry-gtk-2, for example:
> 
>     pinentry-program /home/marusich/.guix-profile/bin/pinentry-gtk-2
> 
> * If the gpg-agent process is running, kill it to make sure it loads 
> the
>   new gpg-agent.conf.
> 
> * Try to sign a message, e.g.:
> 
>     echo hello > /tmp/message
>     gpg --sign /tmp/message
> 
> You should get the error very frequently.
> 
> ludo@gnu.org (Ludovic Courtès) writes:
> 
>> For the record, I’ve never experienced this problem (that’s outside of
>> GNOME) with:
> 
> For me, this problem doesn't happen outside of GNOME.
> 
>> $ guix package -I '(gnupg|pinentry)'
>> pinentry	1.0.0	out	/gnu/store/57dg2i4backl38bw4ipcsdg1b7df9j64-pinentry-1.0.0
>> gnupg	2.1.16	out	/gnu/store/fz44xcp1iksikjvcc472bgsr9hs8ygkq-gnupg-2.1.16
> 
> I'm using these versions:
> 
>   $ guix package -I '(gnupg|pinentry)'
>   
> gnupg	2.1.17	out	/gnu/store/mcsi9rp06q0xxds4mwdgh1p16bifjxvk-gnupg-2.1.17
> 
> pinentry-gnome3	1.0.0	out	/gnu/store/4kq8isyz7k8y64l7mjy90y4rjv7mh9x8-pinentry-gnome3-1.0.0
> 
> 
> The problem also occurred when using the "pinentry" package (instead of
> the "pinentry-gnome3" package):
> 
>   /gnu/store/b72r4rgr9irqy5zvb8i9hmrgrbb88ndf-pinentry-1.0.0
> 
>> ISTR that GNOME has a hack to force its own Pinentry tool.  Could it 
>> be
>> what’s at fault?
> 
> Where can I find more info about this hack?  I did some Internet
> searches, but I couldn't find anything specific.
> 
> This bug is no longer blocking me, since I can use pinentry-gnome3, but
> I'm still concerned about the fact that pinentry-gtk-2 fails very
> frequently, even though it didn't on the previous version.

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Ludovic Courtès]

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Previously, I wrote:
>
>> In GNOME, this issue DOES occur regardless of which "pinentry" program
>> I specify in my ~/.gnupg/gpg-agent.conf file (the same issue occurs
>> with pinentry, pinentry-curses, pinentry-gtk-2, and pinentry-tty).
>
> I don't think this is actually true.  I believe I made an error when
> testing the different pinentry programs.  I believe I forgot to restart
> the gpg-agent, which would explain why simply changing the contents of
> the gpg-agent.conf file did not seem to fix the issue.
>
> I did another test just now.  I tried changing the contents of the
> gpg-agent.conf file, and I made sure to kill the gpg-agent process after
> each change, so that gpg-agent would reload the file for sure.  When I
> did this, I found that only pinentry-gtk-2 exhibits this issue (note
> that pinentry is a symlink to pinentry-gtk-2).  In particular,
> pinentry-curses, pinentry-tty, and pinentry-gnome3 all worked for me.
>
> Is anyone able to reproduce the issue using pinentry-gtk-2?  The
> following steps should reproduce the issue:
>
> * Log into a GNOME session on (a recently updated) GuixSD.
>
> * In $HOME/.gnupg/gpg-agent.conf, set pinentry-program to
>   pinentry-gtk-2, for example:
>
>     pinentry-program /home/marusich/.guix-profile/bin/pinentry-gtk-2
>
> * If the gpg-agent process is running, kill it to make sure it loads the
>   new gpg-agent.conf.
>
> * Try to sign a message, e.g.:
>
>     echo hello > /tmp/message
>     gpg --sign /tmp/message
>
> You should get the error very frequently.

Could you report these steps upstream?  That does not seem to be
Guix-specific, though I suppose other distros probably install
pinentry-gnome3 automatically when you install GNOME, such that the
problem doesn’t show up.

>> ISTR that GNOME has a hack to force its own Pinentry tool.  Could it be
>> what’s at fault?
>
> Where can I find more info about this hack?  I did some Internet
> searches, but I couldn't find anything specific.

The “hack” I was referring to is probably just pinentry-gnome3.

> This bug is no longer blocking me, since I can use pinentry-gnome3, but
> I'm still concerned about the fact that pinentry-gtk-2 fails very
> frequently, even though it didn't on the previous version.

It seems like bad interaction between pinentry-gtk2 and GNOME.

On this topic, I found
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791379>.  Strangely,
that bug discusses the opposite problem.  :-)

Ludo’.

bug#25328: gpg: "Operation cancelled" with pinentry 1.0.0 on GNOME

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1143 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Could you report these steps upstream?  That does not seem to be
> Guix-specific, though I suppose other distros probably install
> pinentry-gnome3 automatically when you install GNOME, such that the
> problem doesn’t show up.

I've sent an email to gnupg-devel@gnupg.org asking for help.  I'll
update this bug report when I have more to report.

> The “hack” I was referring to is probably just pinentry-gnome3.

I see.

>> This bug is no longer blocking me, since I can use pinentry-gnome3, but
>> I'm still concerned about the fact that pinentry-gtk-2 fails very
>> frequently, even though it didn't on the previous version.
>
> It seems like bad interaction between pinentry-gtk2 and GNOME.
>
> On this topic, I found
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791379>.  Strangely,
> that bug discusses the opposite problem.  :-)

Weird.  I'm not sure how to approach bugs like this.  I could strace in
the dark and hope to see something that shows me the light, but
hopefully the gnupg email list will know better how to troubleshoot it.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]