seahorse asks twice for gpg key password

Bug #246364 reported by Przemek K. on 2008-07-07
This bug affects 2 people
Affects Status Importance Assigned to Milestone
enigmail (Ubuntu)
seahorse (Ubuntu)
Ubuntu Desktop Bugs
thunderbird (Ubuntu)

Bug Description

Binary package hint: seahorse

Recently I've installed Hardy. When I'm sending an email with Thunderbird, Enigmail asks twice for my gpg password, even though I've typed it correctly. This happens on Enigmail from Ubuntu package, and on the one downloaded from Same version of enigmail worked properly on Gutsy so it might be a Thunderbird bug.

Edit: it's a seahorse issue. I've checked an option to remember the GPG password and ask before using it and now I get 2 questions about using my GPG password.

Edit2: OK, now I get it. It happens when I choose the option to not remember my GPG passwords.

Przemek K. (azrael) on 2008-07-07
description: updated
Changed in enigmail:
status: New → Invalid
Changed in thunderbird:
status: New → Invalid
Przemek K. (azrael) on 2008-07-07
description: updated
Przemek K. (azrael) on 2008-07-07
description: updated

As this seems to be a user error I am marking this as an invalid bug.

Changed in seahorse:
status: New → Invalid
Przemek K. (azrael) wrote :

It's not a user error - Seahorse shouldn't ask twice for the same GPG password.

Paul Gevers (paul-climbing) wrote :

I can confirm this problem for Thunderbird and Enigmail.

Paul Gevers (paul-climbing) wrote :

I should add some comment to my previous comment:
* it happens when I sign with PGP/MIME on, it does NOT happen without PGP/MIME.
* the above mentioned solution (Edit2), with remembering the pass phrase does not matter in this case, with the time set to 0 or to 15 minutes, both time it asks 2 time. It does NOT remember the pass phrase anyway (also not without PGP/MIME).

Przemek K. (azrael) on 2008-09-13
Changed in seahorse:
status: Invalid → New
Changed in seahorse:
status: Unknown → New
Paul Gevers (paul-climbing) wrote :

My problems are gone now that I (only) removed seahorse from my system (so it really looks that it has a bug). Enigmail is also able to remember my passphrase.

I found this discussion [1] at enigmail forum, someone having the same problem


Andreas Moog (ampelbein) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. I can't replicate the issue neither on hardy nor in intrepid, can you try with version 2.24.0 from intrepid?

Changed in seahorse:
assignee: nobody → desktop-bugs
importance: Undecided → Low
status: New → Incomplete
Changed in seahorse:
status: Incomplete → Triaged


I can confirm this bug on Intrepid. I updated my system from Hardy (where the error did not occur) to Intrepid and now I have to type in my password twice.

ii seahorse 2.24.1-0ubuntu1 A Gnome front end for GnuPG
ii thunderbird mail/news client with RSS and integrated spam filter sup

AZ (m-dev) wrote :

I can confirm this bug.
I reconfigured my gnome gpg settings in system->preferences->encryption and set "do not remember password".
Since then enigmail asked everytime I opened a mail though I set "remember for 5 min" in enigmail prefs.
Now I reset that the option in gnome->preferences->encryption to 20min, I works again with enigmail.

I would expect enigmail to either ignore the gnome settings or
alert me of this setting being in place and overriding the engimail setting.

AZ (m-dev) wrote :

I'm running Intrepid.

libcryptui0 2.24.1-0ubuntu1
seahorse 2.24.1-0ubuntu1
seahorse-plugins 2.24.1-0ubuntu1
thunderbird-locale-de 1:
thunderbird-locale-en-gb 1:

and enigmail 0.95.7
I can reproduce the problem by reenabling "do not keep passphrase" in system->preferences->encryption .

mokabar (tim-klingt) wrote :

removing seahorse is another possible workaround ... would like to see a proper fix, though

Changed in seahorse:
status: New → Confirmed
Changed in seahorse:
status: Confirmed → Invalid
AZ (m-dev) wrote :

Can somebody please explain why this bug has been set to be invalid?

Sebastien Bacher (seb128) wrote :

you have the url to the GNOME bug in the table on the webpage

mokabar (tim-klingt) wrote :

apparently, enigmail performs two operation. the question for me is, why? and why is the enigmail part of this bug `invalid'?

Andreas Moog (ampelbein) wrote :

It is a enigmail-issue. Invalidating the seahorse task and reopening the enigmail one. Enigmail performs two separate actions, see upstream's comment:

"From the enigmail ouput pasted in the enigmail forum, enigmail is performing
two different operations:

enigmail> /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -t --clearsign -u 0xA81E15E0 --use-agent
enigmail> /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 --digest-algo sha1 -s -b -a -t -u 0xA81E15E0 --use-agent

If your option is set to have the agent not remember your passphrase, you will
be asked twice for it because it's not being cached from request to request.
If changing the caching option from never to expires after a period of time or
always fixes this behavior, then everything is operating as designed. If
that's not the case, please reopen this bug. "

Changed in seahorse (Ubuntu):
status: Triaged → Invalid
Changed in enigmail (Ubuntu):
status: Invalid → Confirmed
importance: Undecided → Low
Changed in seahorse:
importance: Unknown → Low
Andrew Skalski (askalski) wrote :

I did some troubleshooting on this issue, because it affects me as well. The previous comment mentions an upstream bug report, but I haven't been able to find it, so I'll post this here.

The first time I send a signed message after restarting Thunderbird, I get prompted twice for my gpg key password. Each subsequent time I send a signed message within the same Thunderbird session, I am only prompted once.

I should make it clear that I have my gpg-agent configured with "ignore-cache-for-signing" enabled. Although upstream states this case is working as intended, I can suggest a minor code change which would eliminate the need for the extra password prompt.

As mentioned previously, there are two signing requests to gpg2 during this first transaction. The first of these ("--clearsign") is signing the message "Dummy Test" for the sole purpose of detecting which digest algorithm gpg2 intends to use: it looks for a line such as "Hash: SHA256" in the output.

One thing I noticed when testing gpg2 on the command line is gpg2 outputs the "Hash: SHA256" line *before* it prompts for the password. So, the password prompt can be bypassed by adding the argument "--pinentry-mode cancel" to the gpg2 command line:

$ /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --use-agent --batch --no-tty --status-fd 2 -t --clearsign --pinentry-mode cancel -u 0xE19CF36DDF865D8405B1E4100B39535099304B41 <<< 'Dummy Test'
Hash: SHA256

Dummy Test
gpg: signing failed: Operation cancelled
[GNUPG:] FAILURE sign 67108963
gpg: [stdin]: clearsign failed: Operation cancelled

Enigmail can then parse the digest algorithm from the output without needing to bother the user with an extra password prompt.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.