bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Danny Milosavljevic]

dannym@dayas ~/src/guix$ strace -f  git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry
[pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28
[pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37
[pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
[pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32

dannym@dayas ~$ which pinentry
/home/dannym/.guix-profile/bin/pinentry
dannym@dayas ~$ pinen<TAB>
pinentry         pinentry-curses  pinentry-gtk-2   pinentry-tty
dannym@dayas ~$ pinentry
OK Pleased to meet you

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Ludovic Courtès]

Danny Milosavljevic <dannym@scratchpost.org> skribis:

> dannym@dayas ~/src/guix$ strace -f  git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry
> [pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28
> [pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
>
> dannym@dayas ~$ which pinentry
> /home/dannym/.guix-profile/bin/pinentry
> dannym@dayas ~$ pinen<TAB>
> pinentry         pinentry-curses  pinentry-gtk-2   pinentry-tty
> dannym@dayas ~$ pinentry
> OK Pleased to meet you

My ~/.gnupg/gpg-agent.conf file reads this:

--8<---------------cut here---------------start------------->8---
pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
--8<---------------cut here---------------end--------------->8---

… and I have:

--8<---------------cut here---------------start------------->8---
$ guix package --list-installed=pinentry
pinentry	0.9.7	out	/gnu/store/2ngvzmsmjykaiv697ffnl7ajc3dm0rrh-pinentry-0.9.7
--8<---------------cut here---------------end--------------->8---

Could it be that you’re missing one of these?

HTH,
Ludo’.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Danny Milosavljevic]

Hi Ludo,

> My ~/.gnupg/gpg-agent.conf file reads this:
> 
> --8<---------------cut here---------------start------------->8---
> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
> --8<---------------cut here---------------end--------------->8---

Yes, the file didn't exist. I created it and it works now.

I did install the pinentry package, though.

Do you think it would make sense to put this in the skeleton for new user accounts?

It wouldn't matter if it's were not installed then - then the user will get an error message and would install it (hopefully). But then it would work.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Ludovic Courtès]

Hi,

Danny Milosavljevic <dannym@scratchpost.org> skribis:

>> My ~/.gnupg/gpg-agent.conf file reads this:
>> 
>> --8<---------------cut here---------------start------------->8---
>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>> --8<---------------cut here---------------end--------------->8---
>
> Yes, the file didn't exist. I created it and it works now.

Great.

> I did install the pinentry package, though.
>
> Do you think it would make sense to put this in the skeleton for new user accounts?

Maybe.  Ideally, this would be addressed by GnuPG itself, which should
somehow make it easier to set it up, because there’s nothing
GuixSD-specific here AFAICS.  What do other distros do to help?

Thanks,
Ludo’.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Alex Kost]

Ludovic Courtès (2016-07-27 14:01 +0300) wrote:

> Hi,
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>> 
>>> --8<---------------cut here---------------start------------->8---
>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>> --8<---------------cut here---------------end--------------->8---
>>
>> Yes, the file didn't exist. I created it and it works now.
>
> Great.
>
>> I did install the pinentry package, though.
>>
>> Do you think it would make sense to put this in the skeleton for new user accounts?
>
> Maybe.  Ideally, this would be addressed by GnuPG itself, which should
> somehow make it easier to set it up, because there’s nothing
> GuixSD-specific here AFAICS.  What do other distros do to help?

My guess: other distros do nothing, because GnuPG searches for
pinentries in a default bindir, I mean in a dir where gpg is placed
(/usr/bin or whatever).

IMO this is Guix-specific, as you have to run gpg-agent with
--pinentry-program option (or specify it in the "gpg-agent.conf" file).

-- 
Alex

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Ludovic Courtès]

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2016-07-27 14:01 +0300) wrote:
>
>> Hi,
>>
>> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>>
>>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>>> 
>>>> --8<---------------cut here---------------start------------->8---
>>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> Yes, the file didn't exist. I created it and it works now.
>>
>> Great.
>>
>>> I did install the pinentry package, though.
>>>
>>> Do you think it would make sense to put this in the skeleton for new user accounts?
>>
>> Maybe.  Ideally, this would be addressed by GnuPG itself, which should
>> somehow make it easier to set it up, because there’s nothing
>> GuixSD-specific here AFAICS.  What do other distros do to help?
>
> My guess: other distros do nothing, because GnuPG searches for
> pinentries in a default bindir, I mean in a dir where gpg is placed
> (/usr/bin or whatever).
>
> IMO this is Guix-specific, as you have to run gpg-agent with
> --pinentry-program option (or specify it in the "gpg-agent.conf" file).

Good point.

What about having GnuPG depend on pinentry-tty, and configuring it with:

  --with-pinentry-pgm=/path/to/pinentry-tty

?  That would at least provide a reasonable default.  The closure size
of GnuPG would increase from 220 to 243 MiB (+10%).

Most of the time, people will want to use pinentry-gtk though.

Another option would be to change ‘gnupg_module_name’, in homedir.c, from:

--8<---------------cut here---------------start------------->8---
    case GNUPG_MODULE_NAME_PINENTRY:
#ifdef GNUPG_DEFAULT_PINENTRY
      return GNUPG_DEFAULT_PINENTRY;
#else
      X(bindir, "pinentry");
#endif
--8<---------------cut here---------------end--------------->8---

to something like:

--8<---------------cut here---------------start------------->8---
    case GNUPG_MODULE_NAME_PINENTRY:
      X(homedir, ".guix-profile/bin/pinentry);
--8<---------------cut here---------------end--------------->8---

… in which case GnuPG would default to the user-installed pinentry, if
available.  Not perfect either, but closer to what other distros do.

Thoughts?

Ludo’.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Danny Milosavljevic]

> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
> 
> --8<---------------cut here---------------start------------->8---
>     case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
>       return GNUPG_DEFAULT_PINENTRY;
> #else
>       X(bindir, "pinentry");
> #endif
> --8<---------------cut here---------------end--------------->8---
> 
> to something like:
> 
> --8<---------------cut here---------------start------------->8---
>     case GNUPG_MODULE_NAME_PINENTRY:
>       X(homedir, ".guix-profile/bin/pinentry);
> --8<---------------cut here---------------end--------------->8---
> 
> … in which case GnuPG would default to the user-installed pinentry, if
> available.  Not perfect either, but closer to what other distros do.

I would like that, yes. It's not like the X(bindir, "pinentry") would ever work in GuixSD anyway - so no loss.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Alex Kost]

Danny Milosavljevic (2016-07-28 15:04 +0300) wrote:

>> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>> 
>> --8<---------------cut here---------------start------------->8---
>>     case GNUPG_MODULE_NAME_PINENTRY:
>> #ifdef GNUPG_DEFAULT_PINENTRY
>>       return GNUPG_DEFAULT_PINENTRY;
>> #else
>>       X(bindir, "pinentry");
>> #endif
>> --8<---------------cut here---------------end--------------->8---
>> 
>> to something like:
>> 
>> --8<---------------cut here---------------start------------->8---
>>     case GNUPG_MODULE_NAME_PINENTRY:
>>       X(homedir, ".guix-profile/bin/pinentry);
>> --8<---------------cut here---------------end--------------->8---
>> 
>> … in which case GnuPG would default to the user-installed pinentry, if
>> available.  Not perfect either, but closer to what other distros do.
>
> I would like that, yes. It's not like the X(bindir, "pinentry") would
> ever work in GuixSD anyway - so no loss.

(Not only GuixSD, but Guix in general)

I agree, this would be better than the current situation.

-- 
Alex

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Federico Beffa]

Note that installing 'gnupg' doesn't automatically bring in
'pinentry'. For this reason installing 'gnupg' doesn't work out of the
box as a user would expect:

gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry


Fede

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Ludovic Courtès]

Federico Beffa <beffa@ieee.org> skribis:

> Note that installing 'gnupg' doesn't automatically bring in
> 'pinentry'. For this reason installing 'gnupg' doesn't work out of the
> box as a user would expect:
>
> gpg: agent_genkey failed: No pinentry
> Key generation failed: No pinentry

I agree that this is a problem.  A fix that would work is the 2nd option
outlined at:

  https://lists.gnu.org/archive/html/bug-guix/2016-07/msg00092.html

Haven’t taken the time to look into it yet!

Ludo’.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Robert Vollmert]

Just to note that this is still a problem. I just installed
gnupg (via guix install gnupg), and gpg --generate-keys fails
due to missing pinentry. I had to find this bug report to
work around this.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Ludovic Courtès]

Hi!

ludo@gnu.org (Ludovic Courtès) skribis:

> What about having GnuPG depend on pinentry-tty, and configuring it with:
>
>   --with-pinentry-pgm=/path/to/pinentry-tty
>
> ?  That would at least provide a reasonable default.  The closure size
> of GnuPG would increase from 220 to 243 MiB (+10%).
>
> Most of the time, people will want to use pinentry-gtk though.
>
> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>
>     case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
>       return GNUPG_DEFAULT_PINENTRY;
> #else
>       X(bindir, "pinentry");
> #endif
>
>
> to something like:
>
>     case GNUPG_MODULE_NAME_PINENTRY:
>       X(homedir, ".guix-profile/bin/pinentry);
>
> … in which case GnuPG would default to the user-installed pinentry, if
> available.  Not perfect either, but closer to what other distros do.

I (finally!) implemented this second option in commit
c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

I confirmed that it has the indented effect like this:

--8<---------------cut here---------------start------------->8---
ludo@ribbon ~/src/guix$ ./pre-inst-env guix environment --ad-hoc gnupg strace coreutils sed grep -C
ludo@ribbon ~/src/guix [env]$ strace -f -o ,,s -s 500 gpg --generate-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/ludo/.gnupg' created
gpg: keybox '/home/ludo/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Foo Bar
Email address: foo@example.org
You selected this USER-ID:
    "Foo Bar <foo@example.org>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

--8<---------------cut here---------------end--------------->8---

where the strace log shows:

  10    execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory)

So now one just needs to install one of the pinentry packages.

Thanks,
Ludo’.

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Leo Famulari]

On Thu, Mar 26, 2020 at 01:09:40PM +0100, Ludovic Courtès wrote:
> I (finally!) implemented this second option in commit
> c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

It still doesn't work for me :/

> I confirmed that it has the indented effect like this:
[...]
> where the strace log shows:
> 
>   10    execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory)

This path includes the ~/.gnupg directory, so users need to do `export
GNUPGHOME=$HOME` for the lookup to work.

Is it okay to make GnuPG do that automatically when building the path in
get_default_pinentry_name()?

bug#24076: [PATCH] gnu: GnuPG: Really use ~/.guix-profile/bin/pinentry by default.

[Leo Famulari]

This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.

This patch does as expected for me! But it's been some years since I
wrote C code, so I copy existing functions and fought through compiler
errors to write this — please give a close review.

* gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find
the user's Guix profile and installed pinentry.
---
 .../patches/gnupg-default-pinentry.patch      | 39 +++++++++++++++----
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/patches/gnupg-default-pinentry.patch b/gnu/packages/patches/gnupg-default-pinentry.patch
index 272f4b53dc..5a3189b98a 100644
--- a/gnu/packages/patches/gnupg-default-pinentry.patch
+++ b/gnu/packages/patches/gnupg-default-pinentry.patch
@@ -1,15 +1,40 @@
-Default to the pinentry program installed in ~/.guix-profile.
-
 diff --git a/common/homedir.c b/common/homedir.c
-index e9e75d0..74e0aaf 100644
+index 4b6e46e88..de71e97b1 100644
 --- a/common/homedir.c
 +++ b/common/homedir.c
-@@ -968,7 +968,7 @@ get_default_pinentry_name (int reset)
+@@ -67,6 +67,10 @@
+  * gnupg_homedir and gnupg_set_homedir.  Malloced.  */
+ static char *the_gnupg_homedir;
+ 
++/* The user's home directory. Used in Guix to help GnuPG find the
++ * pinentry. */
++static char *the_user_homedir;
++
+ /* Flag indicating that home directory is not the default one.  */
+ static byte non_default_homedir;
+ 
+@@ -509,6 +513,16 @@ gnupg_homedir (void)
+   return the_gnupg_homedir;
+ }
+ 
++/* Return the user's home directory */
++const char *
++user_homedir (void)
++{
++  const char *dir;
++  dir = getenv("HOME");
++  if (!the_user_homedir)
++    the_user_homedir = make_absfilename (dir, NULL);
++  return the_user_homedir;
++}
+ 
+ /* Return whether the home dir is the default one.  */
+ int
+@@ -971,6 +985,7 @@ get_default_pinentry_name (int reset)
    } names[] = {
      /* The first entry is what we return in case we found no
         other pinentry.  */
--    { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S },
-+    { gnupg_homedir, "/.guix-profile/bin/pinentry" },
++    { user_homedir, "/.guix-profile/bin/pinentry" },
+     { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S },
  #ifdef HAVE_W32_SYSTEM
      /* Try Gpg4win directory (with bin and without.) */
-     { w32_rootdir, "\\..\\Gpg4win\\bin\\pinentry.exe" },
-- 
2.26.0

bug#24076: [PATCH] gnu: GnuPG: Really use ~/.guix-profile/bin/pinentry by default.

[Ludovic Courtès]

Hi Leo!

Leo Famulari <leo@famulari.name> skribis:

> This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.
>
> This patch does as expected for me! But it's been some years since I
> wrote C code, so I copy existing functions and fought through compiler
> errors to write this — please give a close review.
>
> * gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find
> the user's Guix profile and installed pinentry.

Thanks for fixing it, and apologies for the mistake!

> ++/* Return the user's home directory */
> ++const char *
> ++user_homedir (void)
> ++{
> ++  const char *dir;
> ++  dir = getenv("HOME");

Here I’d add:

  if (dir == NULL)
    {
       struct password *pw;
       pw = getpwuid (getuid ());
       if (pw != NULL)
         dir = pw->pw_dir;
       else
         dir = "/";
    }

Otherwise LGTM!

Ludo’.

bug#24076: [PATCH] gnu: GnuPG: Really use ~/.guix-profile/bin/pinentry by default.

[Leo Famulari]

On Sun, Mar 29, 2020 at 04:57:33PM +0200, Ludovic Courtès wrote:
> Here I’d add:
> 
>   if (dir == NULL)
>     {
>        struct password *pw;
>        pw = getpwuid (getuid ());
>        if (pw != NULL)
>          dir = pw->pw_dir;
>        else
>          dir = "/";
>     }
> 
> Otherwise LGTM!

Thanks, good idea! Pushed as e5b44b06b3fb19c897fb3e430bd41941905e101f

bug#24076: gnupg [-agent]: when signing [commits], it claims that there is no pinentry - but there is

[Alexandre Hannud Abdo]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

Ni! For info, when installing Guix System with the gnome service,
pinentry is installed but it's in the system profile, so it still
doesn't work out of the box, and it's still not obvious that you need
to install it to solve the problem. Maybe the system pinentry could be
included? Cheers, ale .~´

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 195 bytes --]