desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #97333
[Bug 1387303] Re: regression: gnome-keyring components can't be disabled anymore
** Tags added: verification-done-trusty verification-needed-utopic
** Description changed:
- To disable user session gnome-keyring upstart job:
+ To disable gnome-keyring ssh agent,
+ - disable gnome keyring ssh in startup applications
- $ echo manual ~/.config/upstart/gnome-keyring.override
+ To disable gnome-keyring gpg agent,
+ - disable gnome keyring gpg in startup applications
- ... and also disable the XDG auto-start jobs (Startup Applications)
+ If disabled, ssh-agent & gpg-agent upstart jobs are used instead.
=====
SRU tests
By default environment should have SSH & GPG agent variables pointing at
gnome-keyring provided ones.
Disabling gpg or ssh gnome keyring desktop files in "Startup
Applications" upon next login stock gpg/ssh agent's will be used. (No
gnome-keyring name in the SSH/GPG agent variable values)
Similarly, disabling upstart jobs for ssh or gpg agent also enables
stock ssh/gpg agents. (e.g. echo manual > ~/.config/upstart/gnome-
keyring-ssh.override)
=====
GNOME Keyring is by default a rather invasive service, which meddles
with security sensitive processes invasively. This may or may not be
wise depending on a users situation.
One particular case is GNOME Keyring's gpg-agent implementation, which
is incomplete and therefore doesn't support GPG's OpenPGP smartcard
support. gpg simply fails (with smartcards) when GNOME Keyring is
impersonating gpg-agent...
So to be able to use OpenPGP smartcards on Ubuntu, one needs to disable
GNOME Keyring from impersonating gpg-agent, which for quite some time
now has been trivial to effectively do:
echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gnome-
keyring-gpg.desktop
With GNOME Keyring's recent update (3.10.1-1ubuntu4.1) in Trusty, this
seems to have been broken by the addition of:
/usr/share/upstart/sessions/gnome-keyring.conf
So it seems the /etc/xdg/autostart/gnome-keyring files are either being
ignored, or the started process is supplanted by the process started by
the upstart session config.
What is unclear to me is what the upstart session configuration is
supposed to achieve? And if it is meant to supplant the xdg/autostart
files, those should probably have been removed to prevent them from
causing any confusion as to how gnome-keyring is started/managed.
Presuming the upstart session is meant to stay, I would suggest to
remove the /etc/xdg/autostart/gnome-keyring-*.desktop files to prevent
confusion as mentioned above. And in my opinion a mechanism should be
provided so users can control which gnome-keyring components '--
components=pkcs11,secrets,ssh,gpg' are activated using some
configuration file in /etc, as files in /usr aren't meant to be user
edited.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gnome-keyring 3.10.1-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 29 18:14:57 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-04-07 (205 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Beta amd64 (20140326)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.xdg.autostart.gnome.keyring.gpg.desktop: 2014-04-09T19:49:03.884840
** Description changed:
To disable gnome-keyring ssh agent,
- - disable gnome keyring ssh in startup applications
+ - disable gnome keyring ssh in startup applications
To disable gnome-keyring gpg agent,
- - disable gnome keyring gpg in startup applications
+ - disable gnome keyring gpg in startup applications
- If disabled, ssh-agent & gpg-agent upstart jobs are used instead.
+ If above are disabled, stock ssh-agent & gpg-agent upstart jobs are used
+ instead.
=====
SRU tests
By default environment should have SSH & GPG agent variables pointing at
gnome-keyring provided ones.
Disabling gpg or ssh gnome keyring desktop files in "Startup
Applications" upon next login stock gpg/ssh agent's will be used. (No
gnome-keyring name in the SSH/GPG agent variable values)
Similarly, disabling upstart jobs for ssh or gpg agent also enables
stock ssh/gpg agents. (e.g. echo manual > ~/.config/upstart/gnome-
keyring-ssh.override)
=====
GNOME Keyring is by default a rather invasive service, which meddles
with security sensitive processes invasively. This may or may not be
wise depending on a users situation.
One particular case is GNOME Keyring's gpg-agent implementation, which
is incomplete and therefore doesn't support GPG's OpenPGP smartcard
support. gpg simply fails (with smartcards) when GNOME Keyring is
impersonating gpg-agent...
So to be able to use OpenPGP smartcards on Ubuntu, one needs to disable
GNOME Keyring from impersonating gpg-agent, which for quite some time
now has been trivial to effectively do:
echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gnome-
keyring-gpg.desktop
With GNOME Keyring's recent update (3.10.1-1ubuntu4.1) in Trusty, this
seems to have been broken by the addition of:
/usr/share/upstart/sessions/gnome-keyring.conf
So it seems the /etc/xdg/autostart/gnome-keyring files are either being
ignored, or the started process is supplanted by the process started by
the upstart session config.
What is unclear to me is what the upstart session configuration is
supposed to achieve? And if it is meant to supplant the xdg/autostart
files, those should probably have been removed to prevent them from
causing any confusion as to how gnome-keyring is started/managed.
Presuming the upstart session is meant to stay, I would suggest to
remove the /etc/xdg/autostart/gnome-keyring-*.desktop files to prevent
confusion as mentioned above. And in my opinion a mechanism should be
provided so users can control which gnome-keyring components '--
components=pkcs11,secrets,ssh,gpg' are activated using some
configuration file in /etc, as files in /usr aren't meant to be user
edited.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gnome-keyring 3.10.1-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 29 18:14:57 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-04-07 (205 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Beta amd64 (20140326)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.xdg.autostart.gnome.keyring.gpg.desktop: 2014-04-09T19:49:03.884840
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1387303
Title:
regression: gnome-keyring components can't be disabled anymore
Status in gnome-keyring package in Ubuntu:
Fix Released
Status in gnome-keyring source package in Trusty:
Fix Committed
Status in gnome-keyring source package in Utopic:
Fix Committed
Status in gnome-keyring source package in Vivid:
Fix Released
Bug description:
To disable gnome-keyring ssh agent,
- disable gnome keyring ssh in startup applications
To disable gnome-keyring gpg agent,
- disable gnome keyring gpg in startup applications
If above are disabled, stock ssh-agent & gpg-agent upstart jobs are
used instead.
=====
SRU tests
By default environment should have SSH & GPG agent variables pointing
at gnome-keyring provided ones.
Disabling gpg or ssh gnome keyring desktop files in "Startup
Applications" upon next login stock gpg/ssh agent's will be used. (No
gnome-keyring name in the SSH/GPG agent variable values)
Similarly, disabling upstart jobs for ssh or gpg agent also enables
stock ssh/gpg agents. (e.g. echo manual > ~/.config/upstart/gnome-
keyring-ssh.override)
=====
GNOME Keyring is by default a rather invasive service, which meddles
with security sensitive processes invasively. This may or may not be
wise depending on a users situation.
One particular case is GNOME Keyring's gpg-agent implementation, which
is incomplete and therefore doesn't support GPG's OpenPGP smartcard
support. gpg simply fails (with smartcards) when GNOME Keyring is
impersonating gpg-agent...
So to be able to use OpenPGP smartcards on Ubuntu, one needs to
disable GNOME Keyring from impersonating gpg-agent, which for quite
some time now has been trivial to effectively do:
echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gnome-
keyring-gpg.desktop
With GNOME Keyring's recent update (3.10.1-1ubuntu4.1) in Trusty, this
seems to have been broken by the addition of:
/usr/share/upstart/sessions/gnome-keyring.conf
So it seems the /etc/xdg/autostart/gnome-keyring files are either
being ignored, or the started process is supplanted by the process
started by the upstart session config.
What is unclear to me is what the upstart session configuration is
supposed to achieve? And if it is meant to supplant the xdg/autostart
files, those should probably have been removed to prevent them from
causing any confusion as to how gnome-keyring is started/managed.
Presuming the upstart session is meant to stay, I would suggest to
remove the /etc/xdg/autostart/gnome-keyring-*.desktop files to prevent
confusion as mentioned above. And in my opinion a mechanism should be
provided so users can control which gnome-keyring components '--
components=pkcs11,secrets,ssh,gpg' are activated using some
configuration file in /etc, as files in /usr aren't meant to be user
edited.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gnome-keyring 3.10.1-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 29 18:14:57 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-04-07 (205 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Beta amd64 (20140326)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.xdg.autostart.gnome.keyring.gpg.desktop: 2014-04-09T19:49:03.884840
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1387303/+subscriptions
References