Bug 742094 – Support GnuPG-2.1.x

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 742094 - Support GnuPG-2.1.x


Summary:	Support GnuPG-2.1.x


Status:	RESOLVED FIXED

Product:	gnome-keyring
Classification:	Core
Component:	gpg-agent
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:	750514
Blocks:	745843

Reported:	2014-12-29 17:02 UTC by Armin K.
Modified:	2015-10-07 11:59 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Armin K. 2014-12-29 17:02:06 UTC

According to the GnuPG-2.1 announcement [1], the GPG_AGENT_INFO variable isn't used anymore and the socket is hardcoded to ~/.gnupg/S.gpg-agent (aka $GNUPG_HOME/S.gpg-agent).

I am not really sure what needs to be done for gnome-keyring gpg-agent to work with gnupg-2.1, but it would be nice to get this done in the near future since it doesn't currently work.

https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart

Comment 1 Stef Walter 2015-04-09 06:53:14 UTC

Ideally a pinentry program would be written, that allows the following:

 * Prompting via gnome-shell
 * Optionally caching the password.

One thing that seems to be missing is getting a full keyid in the pinentry for use when caching. In theory one can "screen scrape" a short keyid this out of the prompt message ... but that's pretty fragile.

So a bit of additional work to have gpg2 pass an assuan OPTION with the keyid or a unique identifier, if that's preferrable. The absence of which would indicate that the passphrase does not belong to a stable entity (like a key).

Links to stuff that would be used:

 * System prompt API: https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html
 * Caching passphrases with libsecret: https://developer.gnome.org/libsecret/unstable/c-examples.html
 * Assuan protocol: https://www.gnupg.org/documentation/manuals/assuan/

Comment 2 Stef Walter 2015-04-09 06:53:37 UTC

This is what assuan sorta looks like:

OPTION grab
OPTION ttyname=/dev/pts/1
OPTION ttytype=xterm-256color
OPTION lc-ctype=en_US.UTF-8
OPTION lc-messages=en_US.UTF-8
OPTION default-ok=_OK
OPTION default-cancel=_Cancel
OPTION default-prompt=PIN:
OPTION touch-file=/data/.gnupg/S.gpg-agent
GETINFO pid
SETDESC You need a passphrase to unlock the secret key for user:%0A"Stef Walter <stef@thewalter.net>"%0A1024-bit DSA key, ID D92765AF, created 2002-01-24%0A
SETPROMPT Passphrase
SETERROR Invalid passphrase; please try again
GETPIN
BYE

Comment 3 Stef Walter 2015-04-09 06:54:11 UTC

Once such a pinentry program exists, we would figure out a way to make it active while a GNOME session is running. The gpg-agent code in gnome-keyring would be removed.

Comment 4 Stef Walter 2015-04-09 06:55:07 UTC

Previous discussion: https://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028689.html

Comment 5 Neal H. Walfield 2015-04-15 07:41:22 UTC

A stable identifier is now provided with requests for the passphrase.  The relevant command is SETKEYINFO.  Please see the GnuPG bug report about this feature request for more details: https://bugs.g10code.com/gnupg/issue1945 .

Comment 6 Pacho Ramos 2015-05-15 10:03:51 UTC

Looks like gnupg upstream has implemented a gnome3 pinentry... maybe the "solution" would then be to remove the gnome-keyring gpg-agent... :/
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=pinentry.git;a=commit;h=be87785005d256b7f3dacc607ba5ea0a14de8593

Comment 7 Luis Henrique Mello 2015-09-24 13:06:14 UTC

Blocker bug https://bugzilla.gnome.org/show_bug.cgi?id=750514 has been fixed.

Comment 8 Stef Walter 2015-10-07 11:59:26 UTC

This is solved in gnome-keyring 3.18.0. gnome-keyring no longer ships a gpg-agent.