← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #44781

[Bug 884856] [NEW] gnome-keyring integration breaks some GPG functions

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In recent Ubuntu releases (not sure how far back, but at least Oneiric)
gnome-keyring offers gpg-agent integration and is enabled by default.
The gpg-agent protocol implementation of gnome-keyring is very
incomplete and hence breaks at least the smartcard functions of gpg and
most functions of gpgsm.

Steps to reproduce (smartcard):
1. Acquire a smartcard reader, an OpenPGP smartcard and install pcsc-lite
2. Start a normal new Ubuntu desktop session
3. strace gpg --card-status

Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(3, "SCD SERIALNO openpgp", 20)    = 20
write(3, "\n", 1)                       = 1
read(3, "ERR 103 unknown command\n", 1002) = 24
...

The printout on stdout is 
selecting openpgp failed: unknown command
OpenPGP card not available: general error

Expected results: The agent should know the SCD command and act
accordingly.


Steps to reproduce(gpgsm):
1. Migrate from an old installation that includes X.509 certificates and private keys in gpgsm.
2. strace gpgsm -K

Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0)         = 4
connect(4, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(4, "HAVEKEY 62B64B58FF1BD7E0B48FE51A"..., 48) = 48
write(4, "\n", 1)                       = 1
read(4, "ERR 103 unknown command\n", 1002) = 24
...

Expected results: The agent should know the HAVEKEY command and act
accordingly.


Due to the way the gnome-keyring is activated in recent releases no easy workaround is possible. Removing the GPG_AGENT_INFO environment variable makes the individual examples work (they will just start their own agent if necessary), but that's not possible (and certainly not configurable) on a system level. gnome-keyring-daemon allows in principle to deactivate the faulty gpg module (there is a command line option --components that accepts a list of any combination of pkcs11,secrets,ssh,gpg).

But currently the gnome-keyring-daemon is started through the
pam_gnome_keyring.so PAM module which uses a hard-coded command line ("
--daemonize --login").


Steps to resolve this problem: At least a) disable the gpg gnome-keyring module by default in the PAM module, and/or b) make the command line options that the module uses user configurable. Or c) extend gnome-keyring with all the missing functionality (and play a constant game of catch-up), or d) leave gpg-agent operations to the gpg-agent and try to solve whatever problem the gnome-keyring gpg-agent emulation was meant to solve in another manner.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: gnome-keyring 3.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Mon Oct 31 05:41:24 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, no user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: gnome-keyring
UpgradeStatus: Upgraded to oneiric on 2011-10-14 (17 days ago)

** Affects: gnome-keyring (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric running-unity

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/884856

Title:
  gnome-keyring integration breaks some GPG functions

Status in “gnome-keyring” package in Ubuntu:
  New

Bug description:
  In recent Ubuntu releases (not sure how far back, but at least
  Oneiric) gnome-keyring offers gpg-agent integration and is enabled by
  default. The gpg-agent protocol implementation of gnome-keyring is
  very incomplete and hence breaks at least the smartcard functions of
  gpg and most functions of gpgsm.

  Steps to reproduce (smartcard):
  1. Acquire a smartcard reader, an OpenPGP smartcard and install pcsc-lite
  2. Start a normal new Ubuntu desktop session
  3. strace gpg --card-status

  Actual results:
  ...
  socket(PF_FILE, SOCK_STREAM, 0)         = 3
  connect(3, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
  ...
  write(3, "SCD SERIALNO openpgp", 20)    = 20
  write(3, "\n", 1)                       = 1
  read(3, "ERR 103 unknown command\n", 1002) = 24
  ...

  The printout on stdout is 
  selecting openpgp failed: unknown command
  OpenPGP card not available: general error

  Expected results: The agent should know the SCD command and act
  accordingly.

  
  Steps to reproduce(gpgsm):
  1. Migrate from an old installation that includes X.509 certificates and private keys in gpgsm.
  2. strace gpgsm -K

  Actual results:
  ...
  socket(PF_FILE, SOCK_STREAM, 0)         = 4
  connect(4, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
  ...
  write(4, "HAVEKEY 62B64B58FF1BD7E0B48FE51A"..., 48) = 48
  write(4, "\n", 1)                       = 1
  read(4, "ERR 103 unknown command\n", 1002) = 24
  ...

  Expected results: The agent should know the HAVEKEY command and act
  accordingly.

  
  Due to the way the gnome-keyring is activated in recent releases no easy workaround is possible. Removing the GPG_AGENT_INFO environment variable makes the individual examples work (they will just start their own agent if necessary), but that's not possible (and certainly not configurable) on a system level. gnome-keyring-daemon allows in principle to deactivate the faulty gpg module (there is a command line option --components that accepts a list of any combination of pkcs11,secrets,ssh,gpg).

  But currently the gnome-keyring-daemon is started through the
  pam_gnome_keyring.so PAM module which uses a hard-coded command line
  ("--daemonize --login").

  
  Steps to resolve this problem: At least a) disable the gpg gnome-keyring module by default in the PAM module, and/or b) make the command line options that the module uses user configurable. Or c) extend gnome-keyring with all the missing functionality (and play a constant game of catch-up), or d) leave gpg-agent operations to the gpg-agent and try to solve whatever problem the gnome-keyring gpg-agent emulation was meant to solve in another manner.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: gnome-keyring 3.2.1-0ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
  Uname: Linux 3.0.0-12-generic x86_64
  ApportVersion: 1.23-0ubuntu3
  Architecture: amd64
  Date: Mon Oct 31 05:41:24 2011
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
  ProcEnviron:
   LANGUAGE=en_GB:en
   PATH=(custom, no user)
   LANG=de_DE.utf8
   SHELL=/bin/bash
  SourcePackage: gnome-keyring
  UpgradeStatus: Upgraded to oneiric on 2011-10-14 (17 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/884856/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next