[lucid] gpg-agent prevents unprotection of passphrases
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| GnuPG2 |
Fix Released
|
Unknown
|
||
| gnupg2 (Ubuntu) |
Undecided
|
Unassigned | ||
| Lucid |
Undecided
|
Unassigned |
Bug Description
Binary package hint: gpg-agent
gpg-agent version 2.0.14 has a known bug which prevents unprotection of new or changed gpg-agent passphrases.
If someone tries to unlock an ssh-key which has been changed with the lucid's version of the agent (2.0.14) the pinentry program will always report a wrong passphrase and ssh will fail with "Agent admitted failure to sign using the key."
https:/
http://
A patch from upstream has been attached (http://
TEST CASE:
- Prepare a SSH key (or take an existing one):
ssh-keygen -C "test key" -f test_key
cat test_key.pub >> ~/.ssh/
- Test that it's broken:
eval "$(gpg-agent --daemon --enable-
ssh-add test_key
ssh localhost
- Test that the fix works:
ssh-add -d test_key
rm ~/.gnupg/
Install the fixed packages
eval "$(gpg-agent --daemon --enable-
ssh-add test_key
ssh localhost
Related branches
Joke de Buhr (joke) wrote : | #1 |
Changed in gnupg2 (Ubuntu): | |
status: | New → Confirmed |
Joke de Buhr (joke) wrote : | #2 |
segler (segler-alex) wrote : | #3 |
please add this patch to lucid, it is really important to me
description: | updated |
Joke de Buhr (joke) wrote : | #4 |
As long as no officially patched packages are released you can use mine. Only the gpg-agent package needs to be installed.
https:/
https:/
https:/
Jo (16303-gmx) wrote : | #5 |
I need to import a new private-key for university communication. Using the certificate is mandatory at our faculty. This is a security related issue and should be treated with priority. Not to be able to use gpgsm is a real show stopper...
The patch is available: http://
Thanks!
tags: | added: patch |
Changed in gnupg2: | |
status: | Unknown → Fix Released |
MatejS (matej-samcik) wrote : | #6 |
I used package from Joke de Buhr gnupg-agent_
Joke de Buhr (joke) wrote : | #7 |
You need to delete the key. Then re-add the key once more.
If what doesn't work I need to check if I made a mistake while apply the patch.
MatejS (matej-samcik) wrote : | #8 |
That's what I did I deleted manualy keys from ~/.gnupg/
Joke de Buhr (joke) wrote : | #9 |
I think that should have done the trick. I'm going to investigate if I missed something during package building. I having been adding new keys since I built the package. I added my key using a locally patched version of gnupg.
I'm adding the new packages here as soon as I'm finished.
MatejS (matej-samcik) wrote : | #10 |
I will provide some details: I installed patched binary from Joke de Buhr then after I removed all keys and restarted KDE session, checked that no gpg-agent is running, I imported keys with:
gpgsm --import newkey.p12
everything seemed to be OK, passphrase to unprotect, then 2x passphrase to protect, import successful...
But no way to sign email message in kmail:
5 - 2010-06-15 10:51:28 gpg-agent[1489]: starting a new PIN Entry
5 - 2010-06-15 10:51:28 gpg-agent[1489]: DBG: connection to PIN entry established
5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: -> INQUIRE PINENTRY_LAUNCHED 3057
5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: <- END
5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to unprotect the secret key: Bad passphrase
5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to read the secret key
5 - 2010-06-15 10:51:36 gpg-agent[1489]: command pksign failed: Bad passphrase
5 - 2010-06-15 10:51:36 gpg-agent[1489.6] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
4 - 2010-06-15 10:51:36 gpgsm[3056]: error creating signature: Bad passphrase <GPG Agent>
4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: <- BYE
4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> OK closing connection
Joke de Buhr (joke) wrote : | #11 |
I just rebuilt the package. I tested it by adding ssh keys. I think it should work with gpgsm --import as well. But I'm not absolutely sure because I'm not a gnupg developer.
The new packages are available. You should install all three packages: gnupg2, gpg-agent and gpgsm. This may be the reason you had trouble with gpgsm the last time.
https:/
Joke de Buhr (joke) wrote : | #12 |
Please report if the updated package solves the problem. If it doesn't report it too.
MatejS (matej-samcik) wrote : | #13 |
Installing all three packages solved the problem, thank you very much. Hope that official package will be fixed soon, too.
Joke de Buhr (joke) wrote : | #14 |
Unfortunately the maintainer continues using the unpatched gnupg 2.0.14 release in maverick. If he doesn't consider switching to gnupg 2.0.15 any time soon or at least importing this patch, ubuntu maverick will still face this bug.
Steffen Hansen (steffen-kdab) wrote : | #15 |
Any chance there will be a fixed 2.0.14 or even better 2.0.15 package for Ubuntu Lucid? This bug makes it impossible to use gpgsm for S/MIME.
Joke de Buhr (joke) wrote : | #16 |
If you need to use gpgsm just use the fixed package I built (see post #11). As said earlier the ubuntu maintainer doesn't seem to care fixing the bug.
Michael Bienia (geser) wrote : | #17 |
Packages in Ubuntu are team-maintained, so there isn't one person acting as "the" maintainer. Some packages have more people looking at them, other less.
I'll try to find some time to prepare an SRU for this (i.e. 2.0.14 + this patch). 2.0.15 could only be made available to lucid as a backport from maverick (once maverick has 2.0.15).
Michael Bienia (geser) wrote : | #18 |
Here is a debdiff with the upstream patch for lucid. It looks bigger as it really is as the debian-changes patch got regenerated (and debian-
description: | updated |
Martin Pitt (pitti) wrote : | #19 |
Sponsored. Michael, next time please subscribe the sponsoring team if you need sponsoring.
Martin Pitt (pitti) wrote : | #20 |
This was fixed in 2.0.14-1.1 which is in maverick.
Changed in gnupg2 (Ubuntu): | |
status: | Confirmed → Fix Released |
Accepted gnupg2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
Changed in gnupg2 (Ubuntu Lucid): | |
status: | New → Fix Committed |
tags: | added: verification-needed |
Jacob Helwig (jhelwig) wrote : | #22 |
I can confirm that the gnupg2 and gnupg-agent packages in lucid-proposed allow me to use gpg-agent as an ssh-agent.
tags: |
added: verification-done removed: verification-needed |
Launchpad Janitor (janitor) wrote : | #23 |
This bug was fixed in the package gnupg2 - 2.0.14-1ubuntu1.1
---------------
gnupg2 (2.0.14-1ubuntu1.1) lucid-proposed; urgency=low
* Fix a regression in gnupg2 2.0.14 which prevents unprotection of new or
changed gpg-agent passphrases. Patch provided by Werner Koch (upstream)
(lp: #567106).
-- Michael Bienia <email address hidden> Sat, 19 Jun 2010 11:01:30 +0200
Changed in gnupg2 (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
to reproduce the error (you should backup your ~/.ssh/ authorized_ keys file):
eval "$(gpg-agent --daemon --enable- ssh-support) " authorized_ keys
ssh-keygen -C "test key" -f test_key
ssh-add test_key
cat test_key.pub > ~/.ssh/
ssh localhost