Hi! I'm using gpg remotely over ssh by forwarding my local agent-extra-socket as my remote's regular agent-socket. I use it with a (local) nitrokey mostly without problems for signing: on the remote I can use `gpg --sign`, it asks for the PIN with a GUI pinentry popping up on my local desktop and even uses it with the local nitrokey card.
However, I cannot make `gpg --symmetric` encryption work on the remote, as it tells me getting a passphrase is "Forbidden". Is it possible at all? I can't find any documentation about what is actually 'restricted' by the restricted mode of the extra socket. Or must I use two agents (one forwarded, one local to the remote), and if so, is there any guide as to how to do that? I don't care much about passphrase cache, I just want to encrypt a file by entering a passphrase with whatever pinentry. Thanks for any pointers, Marcin --- Logs ----- Local gpg version: 2.4.3, Remote gpg version: 2.2.27 Remote output: ``` $ gpg -vvv --symmetric tmp.txt gpg: using character set 'utf-8' gpg: connection to agent is in restricted mode gpg: problem with the agent: Forbidden gpg: error creating passphrase: Operation cancelled gpg: symmetric encryption of 'tmp.txt' failed: Operation cancelled ``` Local gpg-agent logs when trying from remote: ``` 2024-02-23 22:11:07 gpg-agent[132208]DBG: chan_10 -> OK Pleased to meet you, process 132243 <- RESET -> OK <- OPTION ttyname=/dev/pts/7 -> ERR 67109115 Forbidden <GPG Agent> <- GETINFO restricted -> OK <- GETINFO version -> D 2.4.3 -> OK <- OPTION allow-pinentry-notify -> ERR 67109115 Forbidden <GPG Agent> <- OPTION agent-awareness=2.1.0 -> OK <- GETINFO s2k_count S2K calibration: 44149760 -> 101ms -> D 44149760 -> OK <- GETINFO cmd_has_option GET_PASSPHRASE repeat -> OK <- GETINFO cmd_has_option GET_PASSPHRASE newsymkey -> OK <- GET_PASSPHRASE --data --repeat=1 --check --newsymkey -- SE3EC318CC514D3C1 X X Enter+passphrase%0A command 'GET_PASSPHRASE' failed: Forbidden -> ERR 67109115 Forbidden <GPG Agent> <- [eof] ``` Local gpg-agent logs when doing gpg --symmetric locally: ``` 2024-02-23 22:44:48 gpg-agent[132208] DBG: chan_10 -> OK Pleased to meet you, process 134008 <- RESET -> OK <- OPTION ttyname=/dev/pts/7 -> OK <- OPTION ttytype=xterm-256color -> OK <- OPTION display=:0 -> OK <- OPTION xauthority=/run/user/1000/xauth_hZahio -> OK <- OPTION putenv=XMODIFIERS=@im=none -> OK <- OPTION putenv=WAYLAND_DISPLAY=wayland-0 -> OK <- OPTION putenv=XDG_SESSION_TYPE=wayland -> OK <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus -> OK <- OPTION lc-ctype=en_US.UTF-8 -> OK <- OPTION lc-messages=en_US.UTF-8 -> OK <- GETINFO version -> D 2.4.3 -> OK <- OPTION allow-pinentry-notify -> OK <- OPTION agent-awareness=2.1.0 -> OK <- GETINFO s2k_count -> D 44149760 -> OK <- GETINFO cmd_has_option GET_PASSPHRASE repeat -> OK <- GETINFO cmd_has_option GET_PASSPHRASE newsymkey -> OK <- GET_PASSPHRASE --data --repeat=1 --check --newsymkey -- S545B95646F9BD365 X X Enter+passphrase%0A agent_get_cache 'S545B95646F9BD365'.0 (mode 3) ... ... miss starting a new PIN Entry connection to PIN entry established -> INQUIRE PINENTRY_LAUNCHED 134010 qt 1.2.1 /dev/pts/7 xterm-256color :0 20620/1000/5 1000/1000 0 <- END starting a new PIN Entry connection to PIN entry established -> INQUIRE PINENTRY_LAUNCHED 134027 qt 1.2.1 /dev/pts/7 xterm-256color :0 20620/1000/5 1000/1000 0 <- END agent_put_cache 'S545B95646F9BD365'.0 (mode 3) requested ttl=0 -> [[Confidential data not shown]] -> OK <- [eof] ``` _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users