desktop-packages team mailing list archive

Thread
Date

Re: [Bug 1387303] Re: regression: gnome-keyring components can't be disabled anymore

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Dimitri John Ledkov <launchpad@xxxxxxxxxxxx>
Date: Thu, 30 Oct 2014 09:54:30 -0000
Reply-to: Bug 1387303 <1387303@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 30 October 2014 01:51, Mike Berkley <1387303@xxxxxxxxxxxxxxxxxx> wrote:
> This same bug affects ssh keys, since gnome-keyring cannot handle ECDSA
> keys.

*sigh*

I presume the following things cannot be handled by gnome-keyring:
* gpg smartcards
* gpg smartcards, used for ssh authentication
* ECDSA ssh keys
* ECDSA gpg (2.1 beta)

However, the upstart jobs tries hard to _not_ override existing agents:
[ -z "$SSH_AUTH_SOCK" ] || [ -z "$GPG_AGENT_INFO" ] || { stop; exit 0; }

Thus if one has an ssh or gpg agent set before gnome-keyring job is
spawned, it's not suppose to take over.

However on my machine things are a bit strange:
GPG_AGENT_INFO=/tmp/gpg-cSjth3/S.gpg-agent:2791:1
GNOME_KEYRING_CONTROL=/run/user/1000/keyring-BCPZie
SSH_AUTH_SOCK=/run/user/1000/keyring-BCPZie/ssh
GNOME_KEYRING_PID=2567

So ssh-agent & secrets agents are GNOME_KEYRING, and gpg-agent is
provided by gnupg.

I think the logic in the job is a bit wrong, and it will always,
actually attempt to override the first agent.

I presume we want the pkcs11 gnome-keyring component? (That's for e.g.
normal ssl smartcards right?!)

As currently implemented, there is no easy way to have gnome-keyring
secrets/pkcs11 agent, whilst using gnupg/openssh agents for those
things.

These things seem to also resonate with
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/884856

I'm chatting on #ubuntu-destkop about it as well, a better plan needs
to be in place for easy way to use gnome-keyring for ssh/gpg (for
simple users), but also easy way to disable gnome-keyring's ssh/gpg
agents when it's not appropriate (advanced keys, certs, smartcards,
etc).

Ideally gnome-keyring would implement support for all of those....

-- 
Regards,

Dimitri.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1387303

Title:
  regression: gnome-keyring components can't be disabled anymore

Status in “gnome-keyring” package in Ubuntu:
  Won't Fix

Bug description:
  To disable user session gnome-keyring upstart job:

  $ echo manual ~/.config/upstart/gnome-keyring.override

  ======

  GNOME Keyring is by default a rather invasive service, which meddles with security sensitive processes invasively. This may or may not be wise depending on a users situation.

  One particular case is GNOME Keyring's gpg-agent implementation, which
  is incomplete and therefore doesn't support GPG's OpenPGP smartcard
  support. gpg simply fails (with smartcards) when GNOME Keyring is
  impersonating gpg-agent...

  So to be able to use OpenPGP smartcards on Ubuntu, one needs to
  disable GNOME Keyring from impersonating gpg-agent, which for quite
  some time now has been trivial to effectively do:

  echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gnome-
  keyring-gpg.desktop

  With GNOME Keyring's recent update (3.10.1-1ubuntu4.1) in Trusty, this
  seems to have been broken by the addition of:

  /usr/share/upstart/sessions/gnome-keyring.conf

  So it seems the /etc/xdg/autostart/gnome-keyring files are either
  being ignored, or the started process is supplanted by the process
  started by the upstart session config.

  What is unclear to me is what the upstart session configuration is
  supposed to achieve? And if it is meant to supplant the xdg/autostart
  files, those should probably have been removed to prevent them from
  causing any confusion as to how gnome-keyring is started/managed.

  Presuming the upstart session is meant to stay, I would suggest to
  remove the /etc/xdg/autostart/gnome-keyring-*.desktop files to prevent
  confusion as mentioned above. And in my opinion a mechanism should be
  provided so users can control which gnome-keyring components '--
  components=pkcs11,secrets,ssh,gpg' are activated using some
  configuration file in /etc, as files in /usr aren't meant to be user
  edited.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: gnome-keyring 3.10.1-1ubuntu4.1
  ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
  Uname: Linux 3.13.0-39-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Oct 29 18:14:57 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-04-07 (205 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Beta amd64 (20140326)
  SourcePackage: gnome-keyring
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.xdg.autostart.gnome.keyring.gpg.desktop: 2014-04-09T19:49:03.884840

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1387303/+subscriptions

References

[Bug 1387303] [NEW] regression: gnome-keyring components can't be disabled anymore
From: Pascal de Bruijn, 2014-10-29
[Bug 1387303] Re: regression: gnome-keyring components can't be disabled anymore
From: Mike Berkley, 2014-10-30