Package: gnome-keyring Version: 3.28.2-5 Severity: normal There are two existing bugs about "ssh-add -c" sign confirmation, #475502 and #493874, presumably dupes and actually fixed since the breakage I'm seeing now is at a later stage:
ssh-add -c adds a key successfully now, no warnings and no unconfirmed signatures anymore, but sadly no signatures at all in fact, instead I'm getting "agent refused operation" errors: sign_and_send_pubkey: signing failed: agent refused operation I noticed that ssh-agent is running without the $DISPLAY variable set which makes asking for confirmation pretty difficult of course. I think this happens because gnome-keyring is started early on by the PAM module? The PAM module code does seem to have code for propagating $DISPLAY here: https://github.com/GNOME/gnome-keyring/blob/mainline/pam/gkr-pam-module.c#L406 But I guess the PAM module isn't even receiving the variable? I've tried playing with /etc/security/pam_env but overriding to a fixed value isn't very useful when the $DISPLAY value is unpredictable. README.Debian suggests that I could uninstall libpam-gnome-keyring to have gnome-keyring start at a later stage (but without auto-unlocked keyring file) which could maybe fix this issue, but dependencies didn't let me try that out, plus having to type my password twice to get to my keyring wouldn't be nice either. :-( This is where my understanding of PAM ends sadly. :-( Is this environment variable filtering working too hard? Is there a way to have libpam-gnome- keyring pass this through again? I believe this is a fairly plain Debian Stable install. I've done a quick diff between the current gnome-keyring from sid and there are no relevant looking changes to the PAM module. -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-keyring depends on: ii dbus-user-session [default-dbus-session-bus] 1.12.16-1 ii dbus-x11 [dbus-session-bus] 1.12.16-1 ii dconf-gsettings-backend [gsettings-backend] 0.30.1-2 ii gcr 3.28.1-1 ii libc6 2.28-10 ii libcap-ng0 0.7.9-2 ii libcap2-bin 1:2.25-2 ii libgck-1-0 3.28.1-1 ii libgcr-base-3-1 3.28.1-1 ii libgcrypt20 1.8.4-5 ii libglib2.0-0 2.58.3-2+deb10u2 ii p11-kit 0.23.15-2 ii pinentry-gnome3 1.1.0-2 ii gdm3 3.30.2-3 amd64 GNOME Display Manager Versions of packages gnome-keyring recommends: ii gnome-keyring-pkcs11 3.28.2-5 ii libpam-gnome-keyring 3.28.2-5 gnome-keyring suggests no packages.
