Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-27 Thread Michal Hocko 
On Thu, Feb 23, 2017 at 11:22:32AM -0500, Daniel Kahn Gillmor wrote:
> On Thu 2017-02-23 10:55:24 -0500, Michal Hocko  wrote:
> > On Sun, Feb 12, 2017 at 06:47:15PM -0500, Daniel Kahn Gillmor wrote:
> > [...]
> >> If this report is strictly about the yubikey smartcard, we should
> >> reassign it to scdaemon.  Does "git tag -S" work for you when you are
> >> *not* using a smartcard?
> >
> > Well I am not using any smartcards. I just have my private keyring on an
> > USB flash disk and 
> > ~/.gnupg/secring.gpg -> /mnt/security/.gnupg/secring.gpg
> >
> > but that shouldn't matter, right?
> 
> gpg 2.1 does not store or use secret keys in the same way as 1.4.  In
> particular, secring.gpg is no longer used, and secret key material is
> stored in ~/.gnupg/private-keys-v1.d/
> 
> if you want to continue to use your USB flash disk, i recommend (when
> the USB disk is inserted and mounted):
> 
>   if [ -d ~/.gnupg/private-keys-v1.d ]; then
>  mv ~/.gnupg/private-keys-v1.d /mnt/security/.gnupg/
>   else
>  mkdir -m 0700 /mnt/security/.gnupg/private-keys-v1.d
>   fi
>   ln -s /mnt/security/.gnupg/private-keys-v1.d ~/.gnupg/private-keys-v1.d
>   if [ -L ~/.gnupg/secring.gpg ]; thne
>  rm ~/.gnupg/secring.gpg
>   fi
>   gpg --batch --import < /mnt/security/.gnupg/secring.gpg
> 
> Once this is done and you're sure you have access to the secret keys you
> want, you can also delete /mnt/security/.gnupg/secring.gpg.
> 
> hope this helps,

unfortunatelly nope. The same problem I saw the last time. I get a
password prompt and then gpg agent hogs one CPU, so basically the same
situation I have described earlier (email 12 Jan 2017 - message-id
20170112105934.ga16...@dhcp22.suse.cz).
-- 
Michal Hocko

Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-23 Thread Daniel Kahn Gillmor 
On Thu 2017-02-23 10:55:24 -0500, Michal Hocko  wrote:
> On Sun, Feb 12, 2017 at 06:47:15PM -0500, Daniel Kahn Gillmor wrote:
> [...]
>> If this report is strictly about the yubikey smartcard, we should
>> reassign it to scdaemon.  Does "git tag -S" work for you when you are
>> *not* using a smartcard?
>
> Well I am not using any smartcards. I just have my private keyring on an
> USB flash disk and 
> ~/.gnupg/secring.gpg -> /mnt/security/.gnupg/secring.gpg
>
> but that shouldn't matter, right?

gpg 2.1 does not store or use secret keys in the same way as 1.4.  In
particular, secring.gpg is no longer used, and secret key material is
stored in ~/.gnupg/private-keys-v1.d/

if you want to continue to use your USB flash disk, i recommend (when
the USB disk is inserted and mounted):

  if [ -d ~/.gnupg/private-keys-v1.d ]; then
 mv ~/.gnupg/private-keys-v1.d /mnt/security/.gnupg/
  else
 mkdir -m 0700 /mnt/security/.gnupg/private-keys-v1.d
  fi
  ln -s /mnt/security/.gnupg/private-keys-v1.d ~/.gnupg/private-keys-v1.d
  if [ -L ~/.gnupg/secring.gpg ]; thne
 rm ~/.gnupg/secring.gpg
  fi
  gpg --batch --import < /mnt/security/.gnupg/secring.gpg

Once this is done and you're sure you have access to the secret keys you
want, you can also delete /mnt/security/.gnupg/secring.gpg.

hope this helps,

 --dkg


signature.asc
Description: PGP signature

Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-23 Thread Michal Hocko 
On Sun, Feb 12, 2017 at 06:47:15PM -0500, Daniel Kahn Gillmor wrote:
[...]
> If this report is strictly about the yubikey smartcard, we should
> reassign it to scdaemon.  Does "git tag -S" work for you when you are
> *not* using a smartcard?

Well I am not using any smartcards. I just have my private keyring on an
USB flash disk and 
~/.gnupg/secring.gpg -> /mnt/security/.gnupg/secring.gpg

but that shouldn't matter, right?
-- 
Michal Hocko

Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-13 Thread Daniel Kahn Gillmor 
On Mon 2017-02-13 17:13:07 -0500, Luca Capello wrote:
> On Sun, 12 Feb 2017 18:47:15 -0500, Daniel Kahn Gillmor wrote:
>> If this report is strictly about the yubikey smartcard, we should
>> reassign it to scdaemon.  Does "git tag -S" work for you when you are
>> *not* using a smartcard?
>
> Oh, sorry if I was not clear enough: no, `git tag -S` does now work
> without the YubiKey.

sorry to keep asking for clarification, but there are enough negations
above for me to be confused about whether "now" is a typo for "not" in
the sentence above.

> ...I tried everything again, starting with a fresh-new ~/.gnupg with
> GnuPG 1:

I do not expect gpg 1.4 to be co-operative with gpg 2.1 in several
different ways:

 * gpg 1.4 expects to find the agent to talk to by looking at
   $GPG_AGENT_INFO.  gpg 2.1 expects to use the "standard socket".

 * gpg 1.4 does not know how to ask the gpg-agent for use of the secret
   key material.  1.4 expects to ask the agent only for a passphrase,
   and needs to have secret key material in-process.

 * gpg 2.1 prefers to use a pubring.kbx format for its public keys.  1.4
   does not even know about this file, and wouldn't be able to parse it
   if it did know about it.

 * gpg 1.4 expects to connect directly to the active smartcard.  2.1
   expects access to the smartcard to be mediated by the scdaemon
   process.  I don't know what happens if both of these systems try to
   access a single smartcard concurrently, but i imagine it's not
   pretty.

We will continue to support gpg1 in debian for use by people with legacy
needs (e.g. decrypting archived data that was encrypted to old,
known-broken PGPv3 keys) but i do *not* expect it to "play nice" and
share keys, either private or public, with the 2.1.x series.

> $ gpg --default-key 3BE9F36D! --sign file.txt
>
> You need a passphrase to unlock the secret key for
> user: "Luca Capello "
> 4096-bit RSA key, ID 3BE9F36D, created 2009-07-01 (main key ID E397832F)
>
> gpg: gpg-agent is not available in this session
> $ 
> =
>
> WTF?

that's presumably due to a missing env var, as you show below:

> =
> $ export GPG_TTY=$(tty)
> $ gpg --default-key 3BE9F36D! --sign file.txt
> [...]
> gpg: gpg-agent is not available in this session
> $ unset GPG_TTY
> $ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent"
> $ gpg --default-key 3BE9F36D! --sign file.txt
> [...]
> gpg: malformed GPG_AGENT_INFO environment variable
> $ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:1"
> $ gpg --default-key 3BE9F36D! --sign file.txt
> [...]
> gpg: gpg-agent protocol version 0 is not supported
> $ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:2"
> $ gpg --default-key 3BE9F36D! --sign file.txt
> [...]
> gpg: gpg-agent protocol version 0 is not supported
> $ ls -l ~/.gnupg/private-keys-v1.d/
> total 0
> $
> =
>
> OK, so I guess everything is as expected.


Sure, though i'm surprised to see you using "$HOME/.gnupg/S.gpg-agent"
as your socket path.  You should be setting this env var with a socket
path based on the name returned by "gpgconf --list-dirs agent-socket"
(or, on older verisons of 2.1.x, "gpgconf --list-dirs | grep
^agent-socket: | cut -f2 -d:").  please see
/etc/X11/Xsession.d/90gpg-agent for an example.

> Let me try with the YubiKey:
> =
> [insert the YubiKey]
> $ gpg --card-status
> [...]
> General key info..: pub  4096R/675E1031 2016-02-22 Luca Capello 
> [...]
> $ git config --unset --global user.signingkey 3BE9F36D
> $ unset GPG_AGENT_INFO
> $ git commit -m 'file.txt: new file'
> gpg: signatures created so far: 1799
>
> Please enter the PIN
> [sigs done: 1799]
> gpg: gpg-agent is not available in this session
> Enter PIN:
> gpg: Interrupt caught ... exiting
>
> $ export GPG_TTY=$(tty)
> $ git commit -m 'file.txt: new file'
> [same as above]
> $ git commit -m 'file.txt: new file'
> gpg: signatures created so far: 1799
>
> Please enter the PIN
> [sigs done: 1799]
> gpg: gpg-agent is not available in this session
> [master (root-commit) 74bff88] file.txt: new file
>  1 file changed, 1 insertion(+)
>  create mode 100644 file.txt
> $ git tag -s -m 'test file' test_file
> gpg: signatures created so far: 1800
>
> Please enter the PIN
> [sigs done: 1800]
> gpg: gpg-agent is not available in this session
> $ 
> =

Again, it looks to me like your env var for the agent isn't set
correctly.  but i don't think you're using the agent at all.  rather,
you're using 1.4's direct access to the smartcard.

> Let me try with GnuPG 2.1:
> =
> $ ls -l /usr/bin/gpg
> lrwxrwxrwx 1 root root 4 Feb 13 22:26 /usr/bin/gpg -> gpg2

there is no debian system in which this is a standard configuration, and
the version of gpg in use here is, as already noted, not a part of
debian anywhere.  At some level, we're in "if you break this, you get to
keep both pieces" territory. :/

There's a lot for those of us on pkg-gnupg-maint to review and clean up
already with the stretch freeze, and i'm not sure how to responsibly
devote time

Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-13 Thread Luca Capello 
Hi there,

On Sun, 12 Feb 2017 18:47:15 -0500, Daniel Kahn Gillmor wrote:
> On Sun 2017-02-12 16:52:29 -0500, Luca Capello wrote:
> > Actually, even worse, commit does not work with gnupg2_2.1.11-7:
> >
> >   
> 
> I'm surprised to see a report about 2.1.11-7 on 2017-02-12 when that
> package was superceded 10 days ago by 2.1.18-3.  Is there a reason that
> you're using 2.1.11-7, which is no longer in debian?

Yes, AFAIK it is the only way to have GnuPG 2.1 (to have gpg-agent
forwarding) on jessie, as I explained in the other bug report I linked.
This is also why I am working on the jessie-backports ;-)

> > What is funny is that if I plug my YubiKey 4 (basically an OpenPGP
> > smartcard) everything (commit + tag) is fine (tested on 2 different
> > jessie).
> 
> If this report is strictly about the yubikey smartcard, we should
> reassign it to scdaemon.  Does "git tag -S" work for you when you are
> *not* using a smartcard?

Oh, sorry if I was not clear enough: no, `git tag -S` does now work
without the YubiKey.

Given that I had actually missed Mickael's second post...

  

...I tried everything again, starting with a fresh-new ~/.gnupg with
GnuPG 1:
=
$ gpg --version | head -n 1
gpg (GnuPG) 1.4.18
$ gpg --list-secret-keys
$HOME/.gnupg/secring.gpg
---
sec#  4096R/E397832F 2009-07-01
uid  Luca Capello 
uid  Luca Capello 
uid  Luca Capello 
uid  Luca Capello 
ssb   4096R/3BE9F36D 2009-07-01
ssb#  4096R/2BB95F4B 2009-07-01
ssb>  4096R/675E1031 2016-02-22
ssb>  4096R/A0ACD061 2016-02-22
ssb>  4096R/D18542FA 2016-02-22
$ grep -v -e '^#' -e '^$' ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
$ echo 'use-agent' >>~/.gnupg/gpg.conf
$ eval $(gpg-agent --daemon)
gpg-agent[13561]: directory $HOME/.gnupg/private-keys-v1.d' created
gpg-agent[13562]: gpg-agent (GnuPG) 2.1.11 started
$ mkdir test.git
$ cd test.git/
$ git init
Initialized empty Git repository in $HOME/test.git/.git/
$ echo 'test file' >file.txt
$ git add file.txt
$ git commit -m 'file.txt: new file'
gpg: pcsc_establish_context failed: no service (0x8010001d)
gpg: card reader not available
gpg: signing failed: general error
gpg: signing failed: general error
error: gpg failed to sign the data
fatal: failed to write commit object
$ git config --global user.signingkey 3BE9F36D
$ git commit -m 'file.txt: new file'
[error as above]
$ gpg --sign file.txt
[error as above]
$ gpg --default-key 3BE9F36D --sign file.txt
[error as above]
$ gpg --default-key E397832F --sign file.txt
[error as above]
$ gpg --default-key 3BE9F36D! --sign file.txt

You need a passphrase to unlock the secret key for
user: "Luca Capello "
4096-bit RSA key, ID 3BE9F36D, created 2009-07-01 (main key ID E397832F)

gpg: gpg-agent is not available in this session
$ 
=

WTF?

=
$ export GPG_TTY=$(tty)
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent is not available in this session
$ unset GPG_TTY
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: malformed GPG_AGENT_INFO environment variable
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:1"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent protocol version 0 is not supported
$ export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:2"
$ gpg --default-key 3BE9F36D! --sign file.txt
[...]
gpg: gpg-agent protocol version 0 is not supported
$ ls -l ~/.gnupg/private-keys-v1.d/
total 0
$
=

OK, so I guess everything is as expected.

Let me try with the YubiKey:
=
[insert the YubiKey]
$ gpg --card-status
[...]
General key info..: pub  4096R/675E1031 2016-02-22 Luca Capello 
[...]
$ git config --unset --global user.signingkey 3BE9F36D
$ unset GPG_AGENT_INFO
$ git commit -m 'file.txt: new file'
gpg: signatures created so far: 1799

Please enter the PIN
[sigs done: 1799]
gpg: gpg-agent is not available in this session
Enter PIN:
gpg: Interrupt caught ... exiting

$ export GPG_TTY=$(tty)
$ git commit -m 'file.txt: new file'
[same as above]
$ git commit -m 'file.txt: new file'
gpg: signatures created so far: 1799

Please enter the PIN
[sigs done: 1799]
gpg: gpg-agent is not available in this session
[master (root-commit) 74bff88] file.txt: new file
 1 file changed, 1 insertion(+)
 create mode 100644 file.txt
$ git tag -s -m 'test file' test_file
gpg: signatures created so far: 1800

Please enter the PIN
[sigs done: 1800]
gpg: gpg-agent is not available in this session
$ 
=

Similar to #802586, ssh works fine:
=
$ pkill gpg-agent
$ echo 'enable-ssh-support' >~/.gnupg/gpg-agent.conf
$ eval $(gpg-agent --daemon)
$ ssh-add -l
4096 57:df:0d:67:82:4a:7f:80:15:80:5f:48:e6:e6:ae:06 cardno:0123456789ab (RSA)
$
=

Bug#568375: [pkg-gnupg-maint] Bug#568375: gnupg-agent: does not work with `git tag -s`

2017-02-12 Thread Daniel Kahn Gillmor 
On Sun 2017-02-12 16:52:29 -0500, Luca Capello wrote:
> Actually, even worse, commit does not work with gnupg2_2.1.11-7:
>
>   

I'm surprised to see a report about 2.1.11-7 on 2017-02-12 when that
package was superceded 10 days ago by 2.1.18-3.  Is there a reason that
you're using 2.1.11-7, which is no longer in debian?

> What is funny is that if I plug my YubiKey 4 (basically an OpenPGP
> smartcard) everything (commit + tag) is fine (tested on 2 different
> jessie).

If this report is strictly about the yubikey smartcard, we should
reassign it to scdaemon.  Does "git tag -S" work for you when you are
*not* using a smartcard?

Please see https://bugs.debian.org/854005 and
https://bugs.debian.org/854616 for more diagnostic approaches that might
help you with your yubikey.

 --dkg