gnome-keyring integration breaks some GPG functions

Bug #884856 reported by Henryk Plötz on 2011-11-01
136
This bug affects 29 people
Affects Status Importance Assigned to Milestone
GNOME Keyring
Fix Released
Wishlist
gnome-keyring (Debian)
New
Undecided
Unassigned
gnome-keyring (Ubuntu)
Low
Unassigned

Bug Description

In recent Ubuntu releases (not sure how far back, but at least Oneiric) gnome-keyring offers gpg-agent integration and is enabled by default. The gpg-agent protocol implementation of gnome-keyring is very incomplete and hence breaks at least the smartcard functions of gpg and most functions of gpgsm.

Steps to reproduce (smartcard):
1. Acquire a smartcard reader, an OpenPGP smartcard and install pcsc-lite
2. Start a normal new Ubuntu desktop session
3. strace gpg --card-status

Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(3, "SCD SERIALNO openpgp", 20) = 20
write(3, "\n", 1) = 1
read(3, "ERR 103 unknown command\n", 1002) = 24
...

The printout on stdout is
selecting openpgp failed: unknown command
OpenPGP card not available: general error

Expected results: The agent should know the SCD command and act accordingly.

Steps to reproduce(gpgsm):
1. Migrate from an old installation that includes X.509 certificates and private keys in gpgsm.
2. strace gpgsm -K

Actual results:
...
socket(PF_FILE, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_FILE, path="/tmp/keyring-p6oNWL/gpg"}, 25) = 0
...
write(4, "HAVEKEY 62B64B58FF1BD7E0B48FE51A"..., 48) = 48
write(4, "\n", 1) = 1
read(4, "ERR 103 unknown command\n", 1002) = 24
...

Expected results: The agent should know the HAVEKEY command and act accordingly.

Due to the way the gnome-keyring is activated in recent releases no easy workaround is possible. Removing the GPG_AGENT_INFO environment variable makes the individual examples work (they will just start their own agent if necessary), but that's not possible (and certainly not configurable) on a system level. gnome-keyring-daemon allows in principle to deactivate the faulty gpg module (there is a command line option --components that accepts a list of any combination of pkcs11,secrets,ssh,gpg).

But currently the gnome-keyring-daemon is started through the pam_gnome_keyring.so PAM module which uses a hard-coded command line ("--daemonize --login").

Steps to resolve this problem: At least a) disable the gpg gnome-keyring module by default in the PAM module, and/or b) make the command line options that the module uses user configurable. Or c) extend gnome-keyring with all the missing functionality (and play a constant game of catch-up), or d) leave gpg-agent operations to the gpg-agent and try to solve whatever problem the gnome-keyring gpg-agent emulation was meant to solve in another manner.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: gnome-keyring 3.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Mon Oct 31 05:41:24 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, no user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: gnome-keyring
UpgradeStatus: Upgraded to oneiric on 2011-10-14 (17 days ago)

Henryk Plötz (henryk-ploetzli) wrote :
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Changed in gnome-keyring (Ubuntu):
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-keyring (Ubuntu):
status: New → Confirmed
NIIBE Yutaka (gniibe) wrote :

Hi, I am smartcard/cryptographic-token user for GnuPG and had this problem too.

It used to be GNOME configuration tool in GNOME 2 to disable the interference by GNOM keyrings.

It seems that it has been changed, and now it is possible for users to disable the interference using 'gnome-session-properties'.

Invoke the command, and at the "StartUp Programs" tab, you can disable "GPG Password Agent" and "SSH Key Agent" buttons.

Henryk Plötz (henryk-ploetzli) wrote :

Ok, it seems I misunderstood the gnome-keyring-daemon startup procedure. Apparently --daemonize --login spawns kind of an empty shell for the functionality (accepting the password through PAM) but does not actually initialize any functionality. For that additional calls the gnome-keyring-daemon with the options --start --components=… (listing the desired component or components) are necessary. As such the PAM module call is actually correct and the fault for gnome-keyring-daemon uncontrollably taking over GPG functions lies elsewhere. (It's just rather confusing because the later calls to --start --components don't leave any traces and looking at the running process list will only show one gnome-keyring-daemon process with --daemonize --login.)

In theory, and apparently in some practical cases as evidenced by comment 4 and some other hints on the web, the modules should be started by the session and selectable in gnome-session-properties. However, that doesn't seem to be the case, for Oneiric at least: I tried creating a new user account on my system, and tried a friend's installation (to exclude the possibility of something being wrong with my installation): There is no entry for any gnome-keyring-daemon module in the startup programs list.

Instead, there are multiple /etc/xdg/autostart/gnome-keyring-….desktop files, one each for gpg, secrets, pkcs11 and ssh with no obvious UI to disable any of them.
WORKAROUND: Removing the /etc/xdg/autostart/gnome-keyring-gpg.desktop file releases (after logging out and in again) gnome-keyring-daemon's grip over the GPG agent functionality and lets gpg and gpgsm work normally again.

-- Steps to reproduce --
1. On a normal Ubuntu Oneiric installation log in normally.
2. Open a Terminal
3. echo $GPG_AGENT_INFO

-- Actual results --
/tmp/keyring-<some random string>/gpg:0:1

-- Expected results (and actual results after applying workaround) --
/tmp/gpg-<random string>/S.gpg-agent:<random number>:1

Simon Déziel (sdeziel) wrote :

My Oneiric fresh install is also affected by this change. My enigmail (GPG for Thunderbird) configuration was migrated from Natty where it was configured to ask for me a password to unlock my GPG key. Now, in Oneiric, enigmail always has access to my GPG key and never prompts me for a password.

Sebastien Bacher (seb128) wrote :

the new comments on how to disable the gnome-keyring agents are orthogonal to the bug described there, ideally the GPG agent would be good enough that it doesn't need to be disabled, somebody should still report the bug to GNOME if we want to see it worked.

note that we hide system components from the startup applications list because they confuse most users, those technical enough to change their gpg agent should be able to deal with a command line ;-)

Pete Stephenson (heypete) wrote :

(Resurrecting a long-idle thread. Sorry.)

This issue has also propagated to Linux Mint 14, an Ubuntu derivative. I was having difficulty using my German Privacy Foundation Crypto Stick with Mint or Ubuntu.

While it doesn't solve the underlying issue (that is, the gnome-keyring agent doesn't play nice with smartcards), one can easily disable the offending agent and thus restore normal GPG operations in the following ways

*****

Unity desktop (GUI method):

*****

MATE (fork of GNOME 2) desktop (GUI method):
Click "Menu" --> "Preferences" --> "Startup Applications". Uncheck the GPG Password Agent (it appears twice as the "GNOME Keyring" and "MATE Keyring").

*****

MATE (fork of GNOME 2) desktop (command line method):
1. Open a terminal.

2. Execute the following commands as your user account (root is not required):

mkdir ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/
echo "X-MATE-Autostart-enabled=false" >> ~/.config/autostart/gnome-keyring-gpg.desktop

3. Log out of your session and log back in.
4. Test to make sure things are working.

*****

Cinnamon (or Unity) desktop:
1. Open a terminal.

2. Execute the following commands as your user account (root is not required):

mkdir ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/
echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/gnome-keyring-gpg.desktop

3. Log out of your session and log back in.
4. Test to make sure things are working.

*****

How to test if things are working:

1. Open a terminal.

2. Execute the following command as your user account (root is not required):

echo $GPG_AGENT_INFO

3. a. If "S.gpg-agent" (or nothing, in the case of Unity, oddly enough) appears in the result, GPG will use the normal GPG agent. (Example: "/home/pete/.gnupg/S.gpg-agent:2120:1")

b. If "keyring" appears in the result, GPG will use the GNOME keyring agent and you will likely not be able to access the smartcard. (Example "/run/user/pete/keyring-k4pQam/gpg:0:1")

The exact paths, usernames, and numbers in the responses will vary. This is normal. It's the presence of either "S.gpg-agent" or "keyring" that identify which agent is being used.

4. Run "gpg2 --card-status" (or "gpg --card-status" if you don't have gnupg2 installed) to verify that GPG is able to communicate with the card.

*****

Even though it doesn't solve the underlying problem, I hope this workaround is helpful.

Pete Stephenson (heypete) wrote :

Brief follow-up to previous comment:

I seem to have left the "Unity desktop (GUI method):" section blank. I had created that section before realizing that the Unity directions were identical to the Cinnamon directions and had failed to remove it. My apologies for any confusion.

Changed in gnome-keyring:
importance: Unknown → Wishlist
status: Unknown → New
Eugene Crosser (crosser) wrote :

As an opinion, I believe that it would be a right thing to disable gpg-agent functionality of gnome-keyring by default in Ubuntu, until it implements the complete functionality. Because the way it is now, gnome-keyring breaks the functionality of gnupg.

PirBoazo (pierre-boizot-name) wrote :

Bug Allways in 14.04,
Work without pb after removing the file /etc/xdg/autostart/gnome-keyring-gpg.desktop
gnome application password & key seems work ....

legolas558 (legolas558) wrote :

Thanks Pete, so glad I found your comment. I was struggling trying to understand why it would work as root and not as normal user. Initially I was looking for some udev rules (permissions etc), but in the end through strace it turned out to be what is described here.

What is lost by disabling gpg-agent by default?

Alex Mauer (hawke) wrote :

Even removing the xdg autostart file(s) didn’t work for me.

Gnome-keyring is still being started with 'gnome-keyring-daemon --start' and is hijacking my gpg agent, thus breaking smartcard-based GPG and SSH key usage.

legolas558 (legolas558) wrote :

@hawke make sure you have disabled "Start GNOME services" in your Session & startup settings

Andre Heinecke (aheinecke) wrote :

This also breaks GPA ( https://bugs.launchpad.net/ubuntu/+source/gpa/+bug/1381926 ) and S/MIME support in Kontact.

It has required that there is a section about this in the GnuPG Wiki ( http://wiki.gnupg.org/PlatformNotes ). And related problems are regularly raised on the gnupg-users mailing list.

There was a thread on the gnupg-devel mailing list involving the gnome-keyring maintainer that shows some standpoints of this problem:

http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028690.html

Imho it is an Ubuntu problem and not an Upstream problem. Ubuntu decides to create: /etc/xdg/autostart/gnome-keyring-gpg.desktop

And thus deliberately breaks gnupg2 by default.

Christian Hudon (chrish) wrote :

Echoing the last entry, this is (also) an Ubuntu bug. The /etc/xdg/autostart/gnome-keyring-gpg.desktop should not be installed until gnome-keyring is a reasonable feature-complete replacement for the GnuPG agent, which it is not at the moment. Please consider removing that file until the upstream gnome-keyring bugs regarding GnuPG agent support are fixed. Removing that file for me fixed my problems with GnuPG.

Changed in gnome-keyring:
status: New → Confirmed
Changed in gnome-keyring:
status: Confirmed → Fix Released
Sebastien Bacher (seb128) wrote :

gnome-keyring no longer implements a gpg-agent. The gnupg agent and pinentry has been updated to better integrate with GNOME.

https://mail.gnome.org/archives/distributor-list/2015-August/msg00000.html

Changed in gnome-keyring (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.