desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #72767
[Bug 884856] Re: gnome-keyring integration breaks some GPG functions
Thanks Pete, so glad I found your comment. I was struggling trying to
understand why it would work as root and not as normal user. Initially I
was looking for some udev rules (permissions etc), but in the end
through strace it turned out to be what is described here.
What is lost by disabling gpg-agent by default?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/884856
Title:
gnome-keyring integration breaks some GPG functions
Status in GNOME keyring services:
New
Status in “gnome-keyring” package in Ubuntu:
Confirmed
Bug description:
In recent Ubuntu releases (not sure how far back, but at least
Oneiric) gnome-keyring offers gpg-agent integration and is enabled by
default. The gpg-agent protocol implementation of gnome-keyring is
very incomplete and hence breaks at least the smartcard functions of
gpg and most functions of gpgsm.
Steps to reproduce (smartcard):
1. Acquire a smartcard reader, an OpenPGP smartcard and install pcsc-lite
2. Start a normal new Ubuntu desktop session
3. strace gpg --card-status
Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(3, "SCD SERIALNO openpgp", 20) = 20
write(3, "\n", 1) = 1
read(3, "ERR 103 unknown command\n", 1002) = 24
...
The printout on stdout is
selecting openpgp failed: unknown command
OpenPGP card not available: general error
Expected results: The agent should know the SCD command and act
accordingly.
Steps to reproduce(gpgsm):
1. Migrate from an old installation that includes X.509 certificates and private keys in gpgsm.
2. strace gpgsm -K
Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(4, "HAVEKEY 62B64B58FF1BD7E0B48FE51A"..., 48) = 48
write(4, "\n", 1) = 1
read(4, "ERR 103 unknown command\n", 1002) = 24
...
Expected results: The agent should know the HAVEKEY command and act
accordingly.
Due to the way the gnome-keyring is activated in recent releases no easy workaround is possible. Removing the GPG_AGENT_INFO environment variable makes the individual examples work (they will just start their own agent if necessary), but that's not possible (and certainly not configurable) on a system level. gnome-keyring-daemon allows in principle to deactivate the faulty gpg module (there is a command line option --components that accepts a list of any combination of pkcs11,secrets,ssh,gpg).
But currently the gnome-keyring-daemon is started through the
pam_gnome_keyring.so PAM module which uses a hard-coded command line
("--daemonize --login").
Steps to resolve this problem: At least a) disable the gpg gnome-keyring module by default in the PAM module, and/or b) make the command line options that the module uses user configurable. Or c) extend gnome-keyring with all the missing functionality (and play a constant game of catch-up), or d) leave gpg-agent operations to the gpg-agent and try to solve whatever problem the gnome-keyring gpg-agent emulation was meant to solve in another manner.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: gnome-keyring 3.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Mon Oct 31 05:41:24 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
LANGUAGE=en_GB:en
PATH=(custom, no user)
LANG=de_DE.utf8
SHELL=/bin/bash
SourcePackage: gnome-keyring
UpgradeStatus: Upgraded to oneiric on 2011-10-14 (17 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-keyring/+bug/884856/+subscriptions
References
