GNOME Bugzilla – Bug 644415
gpg agent not working with smartcards
Last modified: 2016-02-23 09:55:30 UTC
Hi, When trying to use gpg with my private keys stored on my smartcard, I get and error $ LANG=C gpg --card-status gpg: selecting openpgp failed: unknown command gpg: OpenPGP card not available: general error Disabling the agent make the trick, but I think this still a bug
Looks like gpg is not giving you a helpful message, when the agent doesn't support smart cards. In which case this is not a gnome-keyring bug. Or do you mean that the gnome keyring agent should support smart cards? If so, could you update this bug to reflect that and set it as 'enhancement'.
Indeed this is an enhancement. If it's not possible/easy to implement such support, would it be possible to at least not make gpg fails?
I think that implementing this isn't super easy. Would be nice, but certainly isn't easy. Not sure about the gpg failure modes. Would you be interested in looking into whether it's easy to make gpg not fail? Once you find out, I can put together a relevant patch.
I think that this problem is "confirmed" - there is a number of people affected, as evidenced here: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/884856 And I think that this is a "bug" rather than "enhancement", in a sense that gnome-keyring *lies* to gpg that it can act as a drop-in replacement for gpg-agent. In reality gnome-keyring implements only a subset of gpg-agent's functionality, and so in the presence of gnome-keyring, gpg-s functionality is crippled. (Just to be clear: when you "hide" gnome-keyring from gpg, it works with the cards, when you let gpg "see" the presence of gnome-keyring, it does not.) I believe that unless gnome-keyring implements complete functionality of gpg-agent, it should not by default advertise itself as gpg-agent. Thanks.
The gnupg gpg-agent has grown in functionality since the gnome-keyring gpg agent was written. Nobody is lying here. Calm down, getting uptight doesn't help progress in any way whatsoever. That said, it *is* a goal of gnome-keyring to run the real gpg-agent and just handle the prompting. This has been discussed with the gnupg guys. I would love for someone to contribute work towards this, and happy to coordinate with them. The way this works is that whoever cares about this the most gets involved and makes it happen (whether doing the work, or sponsoring someone to do it), and I'm willing to facilitate that. While I personally care about it, it's not at the tippy top of my "care about" list and so it may take a while to get to it.
Sorry if I sounded harsh, it was not my intention. I had my own projects fall behind, I know how it happens. My point he is: in _my opinion_, it would be better _in this case_ to not provide the functionality in question at all than to provide incomplete functionality. Especially since gnupg is not good at diagnosing the inconsistency in the agent protocol, which makes troubleshooting nontrivial. Thanks for consideration, and sorry again.
(In reply to comment #6) > Sorry if I sounded harsh, it was not my intention. I had my own projects fall > behind, I know how it happens. > > My point he is: in _my opinion_, it would be better _in this case_ to not > provide the functionality in question at all than to provide incomplete > functionality. Especially since gnupg is not good at diagnosing the > inconsistency in the agent protocol, which makes troubleshooting nontrivial. Right. Different people have different opinions here. * First of all, it is trivial to disable the gpg-agent provided by gnome-keyring (see gnome-session-properties). * Secondly, if a distro wants to disable the gnome-keyring gpg-agent by default that's something they could choose to do. If you feel strongly about it, you might make your case to your distro. * Lastly *everything* is incomplete, and a work in progress. It's unfortunate. At the time when the gnome-keyring gpg-agent was written it wasn't incomplete, but the gnupg v 2.x agent has added lots of features. Hence the desire to use the gnupg provided gpg-agent as soon as someone does the integration work.
So to sumarize the current state of this. The current features of the gnome-keyring gpg-agent are: * Prompt via system prompts in gnome-shell. * Optionally permit the user to save their private key passphrases in the gnome-keyring login keyring, and have them automatically unlocked while they are logged in. There are three possible courses of action for a contributor to take to fix this issue: a. gnupg would integrate with GNOME 3 (prompt via gnome-shell, and give the option to save passwords in the gnome-keyring login keyring) and gnome-keyring can then drop its gpg-agent implementation, as its features would now be found elsewhere. b. gnome-keyring would run a proper gpg-agent and proxy all the commands to it, intercepting the commands it needs in order to implement its features. c. Write a Pinentry using the documented interface between gpg-agent and Pinentry and make use of it. This pinentry program would provide the above features (prompt via gnome-shell, permit user to save key passphrases in the gnome login keyring). Option C may need some changes to the way gpg-agent calls pinentry programs ... See here: http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028703.html The following libraries could be used to implement Option C: https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html https://developer.gnome.org/libsecret/0.18/ https://www.gnupg.org/(de)/related_software/libassuan/index.html The resulting code could live in the gnome-keyring project.
There is a $100 bounty on this bug[1] since Sep/30/2013. This bug is related to at least this other one[2] here in bugzilla.gnome.org. Since 'gnome-session-properties' isn't there since several Gnome iterations, this is getting more difficult to tackle. The last suggested paths from Mr Walter seem like a quite adequate aproach to this problem, providing a shim to gpg-agent that will do all the heavy lifting. Is there any update on this issue? [1]: https://freedomsponsors.org/issue/359/gnome-keyring-integration-breaks-some-gpg-functions [2]: https://bugzilla.gnome.org/show_bug.cgi?id=535373
gnome-keyring no longer implements a gpg-agent. The gnupg agent and pinentry has been updated to better integrate with GNOME. https://mail.gnome.org/archives/distributor-list/2015-August/msg00000.html