Bug#842015: [pkg-gnupg-maint] Bug#842015: gnupg: gpg --no-tty freezes when there is no X display

[Daniel Kahn Gillmor]

On Tue 2016-10-25 19:50:05 -0400, Vincent Lefevre wrote:
> This is not specific to Emacs. There's the same problem with
> "gpg -d file.gpg" instead of "emacs file.gpg".
>
> I suppose that if gpg communicates its $DISPLAY and $GPG_TTY to
> gpg-agent, gpg-agent should be able to know what to do.

gpg does communicate this info to gpg-agent (and several other
environment variables as well).

--dkg

Bug#842015: [pkg-gnupg-maint] Bug#842015: gnupg: gpg --no-tty freezes when there is no X display

[Vincent Lefevre]

On 2016-10-25 17:40:03 -0400, Daniel Kahn Gillmor wrote:
> since each user has a single gpg-agent (thanks to the standard-socket),
> I see a few choices here:
> 
>  a) use pinentry-emacs where possible (this won't currently work within
> debian since none of our pinentry implementations are configured to
> support emacs, though this could change)
> 
>  b) emacs could use "--pinentry-mode loopback" and directly handle the
> user's passphrase
> 
>  c) emacs could pass its controlling tty to the gpg process and rely on
> pinentry-curses or pinentry-tty (or any comparable fallback
> mechanism) to handle the situation.
> 
> I've opened the uptsream bug report
> https://bugs.gnupg.org/gnupg/issue2818 to try to track this problem, as
> i'm not sure the best way to solve it.

This is not specific to Emacs. There's the same problem with
"gpg -d file.gpg" instead of "emacs file.gpg".

I suppose that if gpg communicates its $DISPLAY and $GPG_TTY to
gpg-agent, gpg-agent should be able to know what to do.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#842015: [pkg-gnupg-maint] Bug#842015: gnupg: gpg --no-tty freezes when there is no X display

[Daniel Kahn Gillmor]

Control: tags 842015 - unreproducible moreinfo
Control: tags 842015 + upstream
Control: forwarded 842015 https://bugs.gnupg.org/gnupg/issue2818

Hi Vincent--

I think your analysis is correct:

On Tue 2016-10-25 14:35:49 -0400, Vincent Lefevre wrote:
> This happened when I was at my lab and connected to my machine
> at home, and I've just gone back home and was surprised to see
> the dialog boxes (pinentry?) to type my passphrase.
>
> I think that what happened is the following:
>
> 1. Start an X session locally on machine A.
>I suppose that this starts gpg-agent automatically (otherwise
>maybe an "emacs file.gpg" is needed too).

It is intended behavior that gpg-agent should start automatically from
your graphical session.  Since we use the standard socket location, each
user account on a given machine uses the same gpg-agent.

> 2. From machine B, do "ssh A" (without X forwarding).
>
> 3. From this ssh session, do "emacs file.gpg".

since each user has a single gpg-agent (thanks to the standard-socket),
I see a few choices here:

 a) use pinentry-emacs where possible (this won't currently work within
debian since none of our pinentry implementations are configured to
support emacs, though this could change)

 b) emacs could use "--pinentry-mode loopback" and directly handle the
user's passphrase

 c) emacs could pass its controlling tty to the gpg process and rely on
pinentry-curses or pinentry-tty (or any comparable fallback
mechanism) to handle the situation.

I've opened the uptsream bug report
https://bugs.gnupg.org/gnupg/issue2818 to try to track this problem, as
i'm not sure the best way to solve it.

> It seems that gpg connects to gpg-agent, which thinks that the
> current screen is the one that corresponds to the X session,
> which is obviously wrong. At least, gpg and gpg-agent shouldn't
> assume that they have the same $DISPLAY in their environment.
>
> Before I do anything else, can you reproduce the problem with
> something like that?

yep, thanks, this is the info we needed.  I've dropped the
unreproducible and moreinfo tags.

 --dkg


signature.asc
Description: PGP signature

Bug#842015: [pkg-gnupg-maint] Bug#842015: gnupg: gpg --no-tty freezes when there is no X display

[Vincent Lefevre]

On 2016-10-25 13:19:13 -0400, Daniel Kahn Gillmor wrote:
> I'd like to learn more about what's going on that makes this freeze for
> you.  It's possible that it's talking to gpg-agent and gpg-agent isn't
> responding as fast as you'd like because it's invoking pinentry
> somewhere else...

This happened when I was at my lab and connected to my machine
at home, and I've just gone back home and was surprised to see
the dialog boxes (pinentry?) to type my passphrase.

I think that what happened is the following:

1. Start an X session locally on machine A.
   I suppose that this starts gpg-agent automatically (otherwise
   maybe an "emacs file.gpg" is needed too).

2. From machine B, do "ssh A" (without X forwarding).

3. From this ssh session, do "emacs file.gpg".

It seems that gpg connects to gpg-agent, which thinks that the
current screen is the one that corresponds to the X session,
which is obviously wrong. At least, gpg and gpg-agent shouldn't
assume that they have the same $DISPLAY in their environment.

Before I do anything else, can you reproduce the problem with
something like that?

> Are you using a forwarded agent or a local agent?

No forwarding agent, AFAIK (unless I'm not aware of one).

> what pinentry programs are available on the machine in question?
> which one is installed as the default?

zira:~> update-alternatives --display pinentry
pinentry - auto mode
  link best version is /usr/bin/pinentry-gnome3
  link currently points to /usr/bin/pinentry-gnome3
  link pinentry is /usr/bin/pinentry
  slave pinentry.1.gz is /usr/share/man/man1/pinentry.1.gz
/usr/bin/pinentry-curses - priority 50
  slave pinentry.1.gz: /usr/share/man/man1/pinentry-curses.1.gz
/usr/bin/pinentry-gnome3 - priority 90
  slave pinentry.1.gz: /usr/share/man/man1/pinentry-gnome3.1.gz
/usr/bin/pinentry-gtk-2 - priority 85
  slave pinentry.1.gz: /usr/share/man/man1/pinentry-gtk-2.1.gz

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#842015: [pkg-gnupg-maint] Bug#842015: gnupg: gpg --no-tty freezes when there is no X display

[Daniel Kahn Gillmor]

Control: tags 842015 + moreinfo unreproducible

Hi Vincent --

On Tue 2016-10-25 05:25:24 -0400, Vincent Lefevre wrote:
> Emacs lucid starts:
>
>   /usr/bin/gpg --no-tty --status-fd 1 --yes --enable-progress-filter \
>   --command-fd 0 --output /tmp/epg-output9765F4x --decrypt -- 
>
> to decode files, even when there is no X display. This is a bug
> since this makes no sense (reported as bug 842012), but the fact
> that gpg freezes instead of returning with an error is another
> bug...

I'd like to learn more about what's going on that makes this freeze for
you.  It's possible that it's talking to gpg-agent and gpg-agent isn't
responding as fast as you'd like because it's invoking pinentry
somewhere else...

can you try running the command in question manually and showing me
what's produced on the status-fd?

I tried this myself and see:

$ DISPLAY=:0 gpg --no-tty --status-fd 1 --yes --enable-progress-filter 
--command-fd 0 --output $(pwd)/output --decrypt -- test.gpg 
[GNUPG:] PROGRESS test.gpg ? 0 866 B
[GNUPG:] ENC_TO A70A96E1439EA852 1 0
[GNUPG:] KEYEXPIRED 1453409582
[GNUPG:] KEY_CONSIDERED 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 0
[GNUPG:] PINENTRY_LAUNCHED 27754


it hangs here while pinentry is trying to collect my passphrase.

If i cancel the pinentry, then it produces the following text and
returns with error code 2:

[GNUPG:] KEYEXPIRED 1453409582
[GNUPG:] KEY_CONSIDERED 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 0
gpg: encrypted with 4096-bit RSA key, ID A70A96E1439EA852, created 2016-01-05
  "Daniel Kahn Gillmor "
gpg: public key decryption failed: Operation cancelled
[GNUPG:] ERROR pkdecrypt_failed 83886179
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
[GNUPG:] PROGRESS test.gpg ? 866 866 B


Are you using a forwarded agent or a local agent?  what pinentry
programs are available on the machine in question?  which one is
installed as the default?

 --dkg


signature.asc
Description: PGP signature