[lucid] gpg-agent prevents unprotection of passphrases

Bug #567106 reported by Joke de Buhr on 2010-04-20
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Fix Released
gnupg2 (Ubuntu)

Bug Description

Binary package hint: gpg-agent

gpg-agent version 2.0.14 has a known bug which prevents unprotection of new or changed gpg-agent passphrases.

If someone tries to unlock an ssh-key which has been changed with the lucid's version of the agent (2.0.14) the pinentry program will always report a wrong passphrase and ssh will fail with "Agent admitted failure to sign using the key."


A patch from upstream has been attached (http://lists.gnupg.org/pipermail/gnupg-users/2010-April/038632.html).


- Prepare a SSH key (or take an existing one):
    ssh-keygen -C "test key" -f test_key
    cat test_key.pub >> ~/.ssh/authorized_keys

- Test that it's broken:
    eval "$(gpg-agent --daemon --enable-ssh-support)"
    ssh-add test_key
    ssh localhost

- Test that the fix works:
    ssh-add -d test_key
    rm ~/.gnupg/private-keys-v1.d/<therightkey>.key (look at the timestamps of the files to find the right one for the recent added SSH test key)
    Install the fixed packages
    eval "$(gpg-agent --daemon --enable-ssh-support)"
    ssh-add test_key
    ssh localhost

Joke de Buhr (joke) wrote :
Changed in gnupg2 (Ubuntu):
status: New → Confirmed
Joke de Buhr (joke) wrote :

to reproduce the error (you should backup your ~/.ssh/authorized_keys file):

eval "$(gpg-agent --daemon --enable-ssh-support)"
ssh-keygen -C "test key" -f test_key
ssh-add test_key
cat test_key.pub > ~/.ssh/authorized_keys
ssh localhost

segler (segler-alex) wrote :

please add this patch to lucid, it is really important to me

Joke de Buhr (joke) on 2010-04-24
description: updated
Jo (16303-gmx) wrote :

I need to import a new private-key for university communication. Using the certificate is mandatory at our faculty. This is a security related issue and should be treated with priority. Not to be able to use gpgsm is a real show stopper...

The patch is available: http://marc.info/?l=gnupg-users&m=126451730710129&w=2


tags: added: patch
Changed in gnupg2:
status: Unknown → Fix Released
MatejS (matej-samcik) wrote :

I used package from Joke de Buhr gnupg-agent_2.0.14-1ubuntu2~joke2_i386.deb - didn't help.

Joke de Buhr (joke) wrote :

You need to delete the key. Then re-add the key once more.

If what doesn't work I need to check if I made a mistake while apply the patch.

MatejS (matej-samcik) wrote :

That's what I did I deleted manualy keys from ~/.gnupg/private-keys-v1.d and also via gui from Kleopatra, then restarted KDE session, checked that no gpg-agent is runinng. Again imported keys and tried to send a signed email message and got again "Bad passphrase"

Joke de Buhr (joke) wrote :

I think that should have done the trick. I'm going to investigate if I missed something during package building. I having been adding new keys since I built the package. I added my key using a locally patched version of gnupg.

I'm adding the new packages here as soon as I'm finished.

MatejS (matej-samcik) wrote :

I will provide some details: I installed patched binary from Joke de Buhr then after I removed all keys and restarted KDE session, checked that no gpg-agent is running, I imported keys with:

gpgsm --import newkey.p12

everything seemed to be OK, passphrase to unprotect, then 2x passphrase to protect, import successful...

But no way to sign email message in kmail:

  5 - 2010-06-15 10:51:28 gpg-agent[1489]: starting a new PIN Entry
  5 - 2010-06-15 10:51:28 gpg-agent[1489]: DBG: connection to PIN entry established
  5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: -> INQUIRE PINENTRY_LAUNCHED 3057
  5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: <- END
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to unprotect the secret key: Bad passphrase
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to read the secret key
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: command pksign failed: Bad passphrase
  5 - 2010-06-15 10:51:36 gpg-agent[1489.6] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056]: error creating signature: Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: <- BYE
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> OK closing connection

Joke de Buhr (joke) wrote :

I just rebuilt the package. I tested it by adding ssh keys. I think it should work with gpgsm --import as well. But I'm not absolutely sure because I'm not a gnupg developer.

The new packages are available. You should install all three packages: gnupg2, gpg-agent and gpgsm. This may be the reason you had trouble with gpgsm the last time.


Joke de Buhr (joke) wrote :

Please report if the updated package solves the problem. If it doesn't report it too.

MatejS (matej-samcik) wrote :

Installing all three packages solved the problem, thank you very much. Hope that official package will be fixed soon, too.

Joke de Buhr (joke) wrote :

Unfortunately the maintainer continues using the unpatched gnupg 2.0.14 release in maverick. If he doesn't consider switching to gnupg 2.0.15 any time soon or at least importing this patch, ubuntu maverick will still face this bug.

Steffen Hansen (steffen-kdab) wrote :

Any chance there will be a fixed 2.0.14 or even better 2.0.15 package for Ubuntu Lucid? This bug makes it impossible to use gpgsm for S/MIME.

Joke de Buhr (joke) wrote :

If you need to use gpgsm just use the fixed package I built (see post #11). As said earlier the ubuntu maintainer doesn't seem to care fixing the bug.

Michael Bienia (geser) wrote :

Packages in Ubuntu are team-maintained, so there isn't one person acting as "the" maintainer. Some packages have more people looking at them, other less.
I'll try to find some time to prepare an SRU for this (i.e. 2.0.14 + this patch). 2.0.15 could only be made available to lucid as a backport from maverick (once maverick has 2.0.15).

Michael Bienia (geser) wrote :

Here is a debdiff with the upstream patch for lucid. It looks bigger as it really is as the debian-changes patch got regenerated (and debian-changes-2.0.14-1ubuntu1 needed to get merged with it) as gnupg2 uses the "single-debian-patch" option.

Michael Bienia (geser) on 2010-06-19
description: updated
Martin Pitt (pitti) wrote :

Sponsored. Michael, next time please subscribe the sponsoring team if you need sponsoring.

Martin Pitt (pitti) wrote :

This was fixed in 2.0.14-1.1 which is in maverick.

Changed in gnupg2 (Ubuntu):
status: Confirmed → Fix Released

Accepted gnupg2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in gnupg2 (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Jacob Helwig (jhelwig) wrote :

I can confirm that the gnupg2 and gnupg-agent packages in lucid-proposed allow me to use gpg-agent as an ssh-agent.

Martin Pitt (pitti) on 2010-08-09
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.0.14-1ubuntu1.1

gnupg2 (2.0.14-1ubuntu1.1) lucid-proposed; urgency=low

  * Fix a regression in gnupg2 2.0.14 which prevents unprotection of new or
    changed gpg-agent passphrases. Patch provided by Werner Koch (upstream)
    (lp: #567106).
 -- Michael Bienia <email address hidden> Sat, 19 Jun 2010 11:01:30 +0200

Changed in gnupg2 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.