dannym@dayas ~/src/guix$ strace -f git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry [pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28 [pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37 [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32 [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32 dannym@dayas ~$ which pinentry /home/dannym/.guix-profile/bin/pinentry dannym@dayas ~$ pinen<TAB> pinentry pinentry-curses pinentry-gtk-2 pinentry-tty dannym@dayas ~$ pinentry OK Pleased to meet you
Danny Milosavljevic <dannym@scratchpost.org> skribis:
> dannym@dayas ~/src/guix$ strace -f git commit -S -m "x" gnu/packages/databases.scm 2>&1 |grep pinentry
> [pid 32548] write(4, "OPTION allow-pinentry-notify", 28) = 28
> [pid 32548] read(4, "ERR 67108949 No pinentry <GPG Ag"..., 1002) = 37
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
> [pid 32548] write(2, "gpg: signing failed: No pinentry", 32gpg: signing failed: No pinentry) = 32
>
> dannym@dayas ~$ which pinentry
> /home/dannym/.guix-profile/bin/pinentry
> dannym@dayas ~$ pinen<TAB>
> pinentry pinentry-curses pinentry-gtk-2 pinentry-tty
> dannym@dayas ~$ pinentry
> OK Pleased to meet you
My ~/.gnupg/gpg-agent.conf file reads this:
--8<---------------cut here---------------start------------->8---
pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
--8<---------------cut here---------------end--------------->8---
… and I have:
--8<---------------cut here---------------start------------->8---
$ guix package --list-installed=pinentry
pinentry 0.9.7 out /gnu/store/2ngvzmsmjykaiv697ffnl7ajc3dm0rrh-pinentry-0.9.7
--8<---------------cut here---------------end--------------->8---
Could it be that you’re missing one of these?
HTH,
Ludo’.
Hi Ludo,
> My ~/.gnupg/gpg-agent.conf file reads this:
>
> --8<---------------cut here---------------start------------->8---
> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
> --8<---------------cut here---------------end--------------->8---
Yes, the file didn't exist. I created it and it works now.
I did install the pinentry package, though.
Do you think it would make sense to put this in the skeleton for new user accounts?
It wouldn't matter if it's were not installed then - then the user will get an error message and would install it (hopefully). But then it would work.
Hi, Danny Milosavljevic <dannym@scratchpost.org> skribis: >> My ~/.gnupg/gpg-agent.conf file reads this: >> >> --8<---------------cut here---------------start------------->8--- >> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2 >> --8<---------------cut here---------------end--------------->8--- > > Yes, the file didn't exist. I created it and it works now. Great. > I did install the pinentry package, though. > > Do you think it would make sense to put this in the skeleton for new user accounts? Maybe. Ideally, this would be addressed by GnuPG itself, which should somehow make it easier to set it up, because there’s nothing GuixSD-specific here AFAICS. What do other distros do to help? Thanks, Ludo’.
Ludovic Courtès (2016-07-27 14:01 +0300) wrote:
> Hi,
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>> --8<---------------cut here---------------end--------------->8---
>>
>> Yes, the file didn't exist. I created it and it works now.
>
> Great.
>
>> I did install the pinentry package, though.
>>
>> Do you think it would make sense to put this in the skeleton for new user accounts?
>
> Maybe. Ideally, this would be addressed by GnuPG itself, which should
> somehow make it easier to set it up, because there’s nothing
> GuixSD-specific here AFAICS. What do other distros do to help?
My guess: other distros do nothing, because GnuPG searches for
pinentries in a default bindir, I mean in a dir where gpg is placed
(/usr/bin or whatever).
IMO this is Guix-specific, as you have to run gpg-agent with
--pinentry-program option (or specify it in the "gpg-agent.conf" file).
--
Alex
Alex Kost <alezost@gmail.com> skribis:
> Ludovic Courtès (2016-07-27 14:01 +0300) wrote:
>
>> Hi,
>>
>> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>>
>>>> My ~/.gnupg/gpg-agent.conf file reads this:
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>> pinentry-program /home/ludo/.guix-profile/bin/pinentry-gtk-2
>>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> Yes, the file didn't exist. I created it and it works now.
>>
>> Great.
>>
>>> I did install the pinentry package, though.
>>>
>>> Do you think it would make sense to put this in the skeleton for new user accounts?
>>
>> Maybe. Ideally, this would be addressed by GnuPG itself, which should
>> somehow make it easier to set it up, because there’s nothing
>> GuixSD-specific here AFAICS. What do other distros do to help?
>
> My guess: other distros do nothing, because GnuPG searches for
> pinentries in a default bindir, I mean in a dir where gpg is placed
> (/usr/bin or whatever).
>
> IMO this is Guix-specific, as you have to run gpg-agent with
> --pinentry-program option (or specify it in the "gpg-agent.conf" file).
Good point.
What about having GnuPG depend on pinentry-tty, and configuring it with:
--with-pinentry-pgm=/path/to/pinentry-tty
? That would at least provide a reasonable default. The closure size
of GnuPG would increase from 220 to 243 MiB (+10%).
Most of the time, people will want to use pinentry-gtk though.
Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
--8<---------------cut here---------------start------------->8---
case GNUPG_MODULE_NAME_PINENTRY:
#ifdef GNUPG_DEFAULT_PINENTRY
return GNUPG_DEFAULT_PINENTRY;
#else
X(bindir, "pinentry");
#endif
--8<---------------cut here---------------end--------------->8---
to something like:
--8<---------------cut here---------------start------------->8---
case GNUPG_MODULE_NAME_PINENTRY:
X(homedir, ".guix-profile/bin/pinentry);
--8<---------------cut here---------------end--------------->8---
… in which case GnuPG would default to the user-installed pinentry, if
available. Not perfect either, but closer to what other distros do.
Thoughts?
Ludo’.
> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>
> --8<---------------cut here---------------start------------->8---
> case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
> return GNUPG_DEFAULT_PINENTRY;
> #else
> X(bindir, "pinentry");
> #endif
> --8<---------------cut here---------------end--------------->8---
>
> to something like:
>
> --8<---------------cut here---------------start------------->8---
> case GNUPG_MODULE_NAME_PINENTRY:
> X(homedir, ".guix-profile/bin/pinentry);
> --8<---------------cut here---------------end--------------->8---
>
> … in which case GnuPG would default to the user-installed pinentry, if
> available. Not perfect either, but closer to what other distros do.
I would like that, yes. It's not like the X(bindir, "pinentry") would ever work in GuixSD anyway - so no loss.
Danny Milosavljevic (2016-07-28 15:04 +0300) wrote:
>> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>>
>> --8<---------------cut here---------------start------------->8---
>> case GNUPG_MODULE_NAME_PINENTRY:
>> #ifdef GNUPG_DEFAULT_PINENTRY
>> return GNUPG_DEFAULT_PINENTRY;
>> #else
>> X(bindir, "pinentry");
>> #endif
>> --8<---------------cut here---------------end--------------->8---
>>
>> to something like:
>>
>> --8<---------------cut here---------------start------------->8---
>> case GNUPG_MODULE_NAME_PINENTRY:
>> X(homedir, ".guix-profile/bin/pinentry);
>> --8<---------------cut here---------------end--------------->8---
>>
>> … in which case GnuPG would default to the user-installed pinentry, if
>> available. Not perfect either, but closer to what other distros do.
>
> I would like that, yes. It's not like the X(bindir, "pinentry") would
> ever work in GuixSD anyway - so no loss.
(Not only GuixSD, but Guix in general)
I agree, this would be better than the current situation.
--
Alex
Note that installing 'gnupg' doesn't automatically bring in 'pinentry'. For this reason installing 'gnupg' doesn't work out of the box as a user would expect: gpg: agent_genkey failed: No pinentry Key generation failed: No pinentry Fede
Federico Beffa <beffa@ieee.org> skribis: > Note that installing 'gnupg' doesn't automatically bring in > 'pinentry'. For this reason installing 'gnupg' doesn't work out of the > box as a user would expect: > > gpg: agent_genkey failed: No pinentry > Key generation failed: No pinentry I agree that this is a problem. A fix that would work is the 2nd option outlined at: https://lists.gnu.org/archive/html/bug-guix/2016-07/msg00092.html Haven’t taken the time to look into it yet! Ludo’.
Just to note that this is still a problem. I just installed gnupg (via guix install gnupg), and gpg --generate-keys fails due to missing pinentry. I had to find this bug report to work around this.
Hi!
ludo@gnu.org (Ludovic Courtès) skribis:
> What about having GnuPG depend on pinentry-tty, and configuring it with:
>
> --with-pinentry-pgm=/path/to/pinentry-tty
>
> ? That would at least provide a reasonable default. The closure size
> of GnuPG would increase from 220 to 243 MiB (+10%).
>
> Most of the time, people will want to use pinentry-gtk though.
>
> Another option would be to change ‘gnupg_module_name’, in homedir.c, from:
>
> case GNUPG_MODULE_NAME_PINENTRY:
> #ifdef GNUPG_DEFAULT_PINENTRY
> return GNUPG_DEFAULT_PINENTRY;
> #else
> X(bindir, "pinentry");
> #endif
>
>
> to something like:
>
> case GNUPG_MODULE_NAME_PINENTRY:
> X(homedir, ".guix-profile/bin/pinentry);
>
> … in which case GnuPG would default to the user-installed pinentry, if
> available. Not perfect either, but closer to what other distros do.
I (finally!) implemented this second option in commit
c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103.
I confirmed that it has the indented effect like this:
--8<---------------cut here---------------start------------->8---
ludo@ribbon ~/src/guix$ ./pre-inst-env guix environment --ad-hoc gnupg strace coreutils sed grep -C
ludo@ribbon ~/src/guix [env]$ strace -f -o ,,s -s 500 gpg --generate-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/home/ludo/.gnupg' created
gpg: keybox '/home/ludo/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Foo Bar
Email address: foo@example.org
You selected this USER-ID:
"Foo Bar <foo@example.org>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry
--8<---------------cut here---------------end--------------->8---
where the strace log shows:
10 execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory)
So now one just needs to install one of the pinentry packages.
Thanks,
Ludo’.
On Thu, Mar 26, 2020 at 01:09:40PM +0100, Ludovic Courtès wrote: > I (finally!) implemented this second option in commit > c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103. It still doesn't work for me :/ > I confirmed that it has the indented effect like this: [...] > where the strace log shows: > > 10 execve("/home/ludo/.gnupg/.guix-profile/bin/pinentry", ["pinentry"], 0x7f7aa80035e0 /* 14 vars */) = -1 ENOENT (No such file or directory) This path includes the ~/.gnupg directory, so users need to do `export GNUPGHOME=$HOME` for the lookup to work. Is it okay to make GnuPG do that automatically when building the path in get_default_pinentry_name()?
This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103. This patch does as expected for me! But it's been some years since I wrote C code, so I copy existing functions and fought through compiler errors to write this — please give a close review. * gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find the user's Guix profile and installed pinentry. --- .../patches/gnupg-default-pinentry.patch | 39 +++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/gnu/packages/patches/gnupg-default-pinentry.patch b/gnu/packages/patches/gnupg-default-pinentry.patch index 272f4b53dc..5a3189b98a 100644 --- a/gnu/packages/patches/gnupg-default-pinentry.patch +++ b/gnu/packages/patches/gnupg-default-pinentry.patch @@ -1,15 +1,40 @@ -Default to the pinentry program installed in ~/.guix-profile. - diff --git a/common/homedir.c b/common/homedir.c -index e9e75d0..74e0aaf 100644 +index 4b6e46e88..de71e97b1 100644 --- a/common/homedir.c +++ b/common/homedir.c -@@ -968,7 +968,7 @@ get_default_pinentry_name (int reset) +@@ -67,6 +67,10 @@ + * gnupg_homedir and gnupg_set_homedir. Malloced. */ + static char *the_gnupg_homedir; + ++/* The user's home directory. Used in Guix to help GnuPG find the ++ * pinentry. */ ++static char *the_user_homedir; ++ + /* Flag indicating that home directory is not the default one. */ + static byte non_default_homedir; + +@@ -509,6 +513,16 @@ gnupg_homedir (void) + return the_gnupg_homedir; + } + ++/* Return the user's home directory */ ++const char * ++user_homedir (void) ++{ ++ const char *dir; ++ dir = getenv("HOME"); ++ if (!the_user_homedir) ++ the_user_homedir = make_absfilename (dir, NULL); ++ return the_user_homedir; ++} + + /* Return whether the home dir is the default one. */ + int +@@ -971,6 +985,7 @@ get_default_pinentry_name (int reset) } names[] = { /* The first entry is what we return in case we found no other pinentry. */ -- { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S }, -+ { gnupg_homedir, "/.guix-profile/bin/pinentry" }, ++ { user_homedir, "/.guix-profile/bin/pinentry" }, + { gnupg_bindir, DIRSEP_S "pinentry" EXEEXT_S }, #ifdef HAVE_W32_SYSTEM /* Try Gpg4win directory (with bin and without.) */ - { w32_rootdir, "\\..\\Gpg4win\\bin\\pinentry.exe" }, -- 2.26.0
Hi Leo! Leo Famulari <leo@famulari.name> skribis: > This is a followup to commit c7af9d0b5ebaa1fdb08ff5d8a56004998bcd8103. > > This patch does as expected for me! But it's been some years since I > wrote C code, so I copy existing functions and fought through compiler > errors to write this — please give a close review. > > * gnu/packages/patches/gnupg-default-pinentry.patch: Use $HOME to find > the user's Guix profile and installed pinentry. Thanks for fixing it, and apologies for the mistake! > ++/* Return the user's home directory */ > ++const char * > ++user_homedir (void) > ++{ > ++ const char *dir; > ++ dir = getenv("HOME"); Here I’d add: if (dir == NULL) { struct password *pw; pw = getpwuid (getuid ()); if (pw != NULL) dir = pw->pw_dir; else dir = "/"; } Otherwise LGTM! Ludo’.
On Sun, Mar 29, 2020 at 04:57:33PM +0200, Ludovic Courtès wrote:
> Here I’d add:
>
> if (dir == NULL)
> {
> struct password *pw;
> pw = getpwuid (getuid ());
> if (pw != NULL)
> dir = pw->pw_dir;
> else
> dir = "/";
> }
>
> Otherwise LGTM!
Thanks, good idea! Pushed as e5b44b06b3fb19c897fb3e430bd41941905e101f
[-- Attachment #1: Type: text/plain, Size: 305 bytes --] Ni! For info, when installing Guix System with the gnome service, pinentry is installed but it's in the system profile, so it still doesn't work out of the box, and it's still not obvious that you need to install it to solve the problem. Maybe the system pinentry could be included? Cheers, ale .~´ [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 195 bytes --]