bug#54014: guix home pinentry weirdness

bug#54014: guix home pinentry weirdness

[Zacchaeus Scheffer]

[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

Hi Guix,

There seems to be some problem installing password-store + pinentry
entirely via guix home.  When I have both installed as such, I get the
following outputs:

$ pinentry
OK Pleased to meet you
<C-c>
$ gpg --import ...
[prompts normally with pinentry, allows me to import]
$ pass
[my password entries]
$ pass [entry name]
gpg: decryption failed: No secret key
$ guix package -i pinentry
$ pass [entry name]
[prompts with pinentry and works normally]

So pinentry and pass seem to both be available, but don't work together
unless I install pinentry via guix package.

My guix install is about two months behind, so sorry if this has already
been patched.

-Zacchaeus

[-- Attachment #2: Type: text/html, Size: 963 bytes --]

bug#54014: guix home pinentry weirdness

[Zacchaeus Scheffer]

[-- Attachment #1: Type: text/plain, Size: 823 bytes --]

I thought it might be important to confirm package versions.  Here is some
sample commands and their output:

before guix package -i pinentry (pass not giving pinentry prompt)

$ ls -l $(which -a pinentry)
lrwxrwxrwx 1 root root 71 Dec 31  1969
/home/zacchae/.guix-home/profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry

after guix package -i pinentry (pass works normally)

$ ls -l $(which -a pinentry)
lrwxrwxrwx 1 root root 71 Dec 31  1969
/home/zacchae/.guix-home/profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry
lrwxrwxrwx 1 root root 71 Dec 31  1969
/home/zacchae/.guix-profile/bin/pinentry ->
/gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-1.2.0/bin/pinentry

So it's not as simple as a version mismatch.

-Zacchaeus

[-- Attachment #2: Type: text/html, Size: 998 bytes --]

bug#54014: guix home pinentry weirdness

[Liliana Marie Prikler]

Hi Zacchaeus,

Am Dienstag, dem 15.02.2022 um 15:16 -0500 schrieb Zacchaeus Scheffer:
> I thought it might be important to confirm package versions.  Here is
> some sample commands and their output:
> 
> before guix package -i pinentry (pass not giving pinentry prompt)
> 
> $ ls -l $(which -a pinentry)
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> home/profile/bin/pinentry ->
> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-
> 1.2.0/bin/pinentry
> 
> after guix package -i pinentry (pass works normally)
> 
> $ ls -l $(which -a pinentry)
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> home/profile/bin/pinentry ->
> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-pinentry-
> 1.2.0/bin/pinentry
> lrwxrwxrwx 1 root root 71 Dec 31  1969 /home/zacchae/.guix-
> profile/bin/pinentry -> /gnu/store/3hl7w63q0axngysrslkdw2a6jmgnm8kf-
> pinentry-1.2.0/bin/pinentry
Did you duplicate the output here?

In any case, the issue you're describing would make sense if pass was
calling pinentry as simply "pinentry" rather than by store path.  AFAIK
gpg has a configuration key telling it which pinentry to spawn -- I
personally set that to /run/current-system/profile/bin/pinentry-gnome3
on most of my machines.  Does pass adhere to that setting or does it
try to call pinentry on its own?

Cheers

bug#54014: guix home pinentry weirdness

[Andrew Tropin]

[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]

On 2022-02-15 13:46, Zacchaeus Scheffer wrote:

> Hi Guix,
>
> There seems to be some problem installing password-store + pinentry
> entirely via guix home.  When I have both installed as such, I get the
> following outputs:
>
> $ pinentry
> OK Pleased to meet you
> <C-c>
> $ gpg --import ...
> [prompts normally with pinentry, allows me to import]
> $ pass
> [my password entries]
> $ pass [entry name]
> gpg: decryption failed: No secret key
> $ guix package -i pinentry
> $ pass [entry name]
> [prompts with pinentry and works normally]
>
> So pinentry and pass seem to both be available, but don't work together
> unless I install pinentry via guix package.
>
> My guix install is about two months behind, so sorry if this has already
> been patched.
>
> -Zacchaeus

I suspect that the problem is that someone at some moment of time
doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
find a pinentry.  Can you show `which gpg`, `which pass`, `which
pinentry`?

The gnupg home service from rde project goes a slightly other way and
just sets pinentry-program to absolute path in the store.  Such approach
works with pass well, you can take a look at it for inspiration:
https://git.sr.ht/~abcdw/rde/tree/master/item/gnu/home-services/gnupg.scm#L127

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#54014: guix home pinentry weirdness

[Zacchaeus Scheffer]

[-- Attachment #1: Type: text/plain, Size: 1968 bytes --]

On Mon, Jul 4, 2022 at 1:50 AM Andrew Tropin <andrew@trop.in> wrote:

> On 2022-02-15 13:46, Zacchaeus Scheffer wrote:
> > There seems to be some problem installing password-store + pinentry
> > entirely via guix home.  When I have both installed as such, I get the
> > following outputs:
> >
> > $ pinentry
> > OK Pleased to meet you
> > <C-c>
> > $ gpg --import ...
> > [prompts normally with pinentry, allows me to import]
> > $ pass
> > [my password entries]
> > $ pass [entry name]
> > gpg: decryption failed: No secret key
> > $ guix package -i pinentry
> > $ pass [entry name]
> > [prompts with pinentry and works normally]
> >
> > So pinentry and pass seem to both be available, but don't work together
> > unless I install pinentry via guix package.
>
> I suspect that the problem is that someone at some moment of time
> doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
> find a pinentry.  Can you show `which gpg`, `which pass`, `which
> pinentry`?
>
Before running "guix package -i pinentry"
$ which -a pinentry
/home/zacchae/.guix-home/profile/bin/pinentry
$ which -a gpg
/home/zacchae/.guix-home/profile/bin/gpg
$ which -a pass
/home/zacchae/.guix-home/profile/bin/pass
After runing "guix package -i pinentry"
$ which -a pinentry
/home/zacchae/.guix-home/profile/bin/pinentry
/home/zacchae/.guix-profile/bin/pinentry
$ which -a gpg
/home/zacchae/.guix-home/profile/bin/gpg
$ which -a pass
/home/zacchae/.guix-home/profile/bin/pass

I can easily reproduce the behavior by removing or installing pinentry with
guix package.  Paths behave as expected.

The gnupg home service from rde project goes a slightly other way and
> just sets pinentry-program to absolute path in the store.  Such approach
> works with pass well, you can take a look at it for inspiration:
>
> https://git.sr.ht/~abcdw/rde/tree/master/item/gnu/home-services/gnupg.scm#L127
>
 I don't totally follow what's going on here, but maybe it will make more
sense later.

[-- Attachment #2: Type: text/html, Size: 2773 bytes --]

bug#54014: guix home pinentry weirdness

[Andrew Tropin]

[-- Attachment #1: Type: text/plain, Size: 3191 bytes --]

On 2022-07-17 00:44, Zacchaeus Scheffer wrote:

> On Mon, Jul 4, 2022 at 1:50 AM Andrew Tropin <andrew@trop.in> wrote:
>
>> On 2022-02-15 13:46, Zacchaeus Scheffer wrote:
>> > There seems to be some problem installing password-store + pinentry
>> > entirely via guix home.  When I have both installed as such, I get the
>> > following outputs:
>> >
>> > $ pinentry
>> > OK Pleased to meet you
>> > <C-c>
>> > $ gpg --import ...
>> > [prompts normally with pinentry, allows me to import]
>> > $ pass
>> > [my password entries]
>> > $ pass [entry name]
>> > gpg: decryption failed: No secret key
>> > $ guix package -i pinentry
>> > $ pass [entry name]
>> > [prompts with pinentry and works normally]
>> >
>> > So pinentry and pass seem to both be available, but don't work together
>> > unless I install pinentry via guix package.
>>
>> I suspect that the problem is that someone at some moment of time
>> doesn't have ~/.guix-home/profile/bin in its $PATH and thus it can't
>> find a pinentry.  Can you show `which gpg`, `which pass`, `which
>> pinentry`?
>>
> Before running "guix package -i pinentry"
> $ which -a pinentry
> /home/zacchae/.guix-home/profile/bin/pinentry
> $ which -a gpg
> /home/zacchae/.guix-home/profile/bin/gpg
> $ which -a pass
> /home/zacchae/.guix-home/profile/bin/pass
> After runing "guix package -i pinentry"
> $ which -a pinentry
> /home/zacchae/.guix-home/profile/bin/pinentry
> /home/zacchae/.guix-profile/bin/pinentry
> $ which -a gpg
> /home/zacchae/.guix-home/profile/bin/gpg
> $ which -a pass
> /home/zacchae/.guix-home/profile/bin/pass
>
> I can easily reproduce the behavior by removing or installing pinentry with
> guix package.  Paths behave as expected.

Probably there are some hardcoded PATHs for .guix-profile, but not for
.guix-home/profile. One of such examples, which can be unrelated to the
current issue:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/system.scm?h=7046e777212233b89df68379c270b448c45195ce#n1012

It will require investigation to find all the places, where and at what
time PATH (and maybe some other env vars) is/are set for all the
participants of the party to trace the root of the problem and properly
solve it =) Anyway, there is a workaround, which should help:

>
> The gnupg home service from rde project goes a slightly other way and
>> just sets pinentry-program to absolute path in the store.  Such approach
>> works with pass well, you can take a look at it for inspiration:
>>
>> https://git.sr.ht/~abcdw/rde/tree/master/item/gnu/home-services/gnupg.scm#L127
>>
>  I don't totally follow what's going on here, but maybe it will make more
> sense later.

Basically it adds the following content to gpg-agent.conf:

--8<---------------cut here---------------start------------->8---
enable-ssh-support 
pinentry-program /gnu/store/r5j2gmfv8akp8p746l6jqy5qwpz0zkhm-pinentry-qt-1.2.0/bin/pinentry-qt
--8<---------------cut here---------------end--------------->8---

You can try to set pinentry-program to
/home/zacchae/.guix-home/profile/bin/pinentry

Or better directly use gnupg home service.

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]