← Back to team overview

desktop-packages team mailing list archive

[Bug 884856] Re: gnome-keyring integration breaks some GPG functions


@hawke make sure you have disabled "Start GNOME services" in your
Session & startup settings

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.

  gnome-keyring integration breaks some GPG functions

Status in GNOME keyring services:
Status in “gnome-keyring” package in Ubuntu:

Bug description:
  In recent Ubuntu releases (not sure how far back, but at least
  Oneiric) gnome-keyring offers gpg-agent integration and is enabled by
  default. The gpg-agent protocol implementation of gnome-keyring is
  very incomplete and hence breaks at least the smartcard functions of
  gpg and most functions of gpgsm.

  Steps to reproduce (smartcard):
  1. Acquire a smartcard reader, an OpenPGP smartcard and install pcsc-lite
  2. Start a normal new Ubuntu desktop session
  3. strace gpg --card-status

  Actual results:
  socket(PF_FILE, SOCK_STREAM, 0)         = 3
  connect(3, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
  write(3, "SCD SERIALNO openpgp", 20)    = 20
  write(3, "\n", 1)                       = 1
  read(3, "ERR 103 unknown command\n", 1002) = 24

  The printout on stdout is 
  selecting openpgp failed: unknown command
  OpenPGP card not available: general error

  Expected results: The agent should know the SCD command and act

  Steps to reproduce(gpgsm):
  1. Migrate from an old installation that includes X.509 certificates and private keys in gpgsm.
  2. strace gpgsm -K

  Actual results:
  socket(PF_FILE, SOCK_STREAM, 0)         = 4
  connect(4, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
  write(4, "HAVEKEY 62B64B58FF1BD7E0B48FE51A"..., 48) = 48
  write(4, "\n", 1)                       = 1
  read(4, "ERR 103 unknown command\n", 1002) = 24

  Expected results: The agent should know the HAVEKEY command and act

  Due to the way the gnome-keyring is activated in recent releases no easy workaround is possible. Removing the GPG_AGENT_INFO environment variable makes the individual examples work (they will just start their own agent if necessary), but that's not possible (and certainly not configurable) on a system level. gnome-keyring-daemon allows in principle to deactivate the faulty gpg module (there is a command line option --components that accepts a list of any combination of pkcs11,secrets,ssh,gpg).

  But currently the gnome-keyring-daemon is started through the
  pam_gnome_keyring.so PAM module which uses a hard-coded command line
  ("--daemonize --login").

  Steps to resolve this problem: At least a) disable the gpg gnome-keyring module by default in the PAM module, and/or b) make the command line options that the module uses user configurable. Or c) extend gnome-keyring with all the missing functionality (and play a constant game of catch-up), or d) leave gpg-agent operations to the gpg-agent and try to solve whatever problem the gnome-keyring gpg-agent emulation was meant to solve in another manner.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: gnome-keyring 3.2.1-0ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
  Uname: Linux 3.0.0-12-generic x86_64
  ApportVersion: 1.23-0ubuntu3
  Architecture: amd64
  Date: Mon Oct 31 05:41:24 2011
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
   PATH=(custom, no user)
  SourcePackage: gnome-keyring
  UpgradeStatus: Upgraded to oneiric on 2011-10-14 (17 days ago)

To manage notifications about this bug go to: