View previous topic :: View next topic |
Author |
Message |
sunox Tux's lil' helper
Joined: 26 Jan 2022 Posts: 136
|
Posted: Wed Jan 26, 2022 1:40 am Post subject: [solved] Pinentry passphrases not saved by gnome-keyring |
|
|
Hello. I am new to gentoo and this is the last 'major' thing that I have yet to get working.
I save a bunch of email credentials in an authinfo.gpg file which I unlock in scripts using gpg2. The first time I run these scripts pinentry prompts me for the authinfo.gpg passphrase. On my other OSes (I use Debian normally) the passphrase for this authinfo.gpg file gets saved to gnome-keyring-daemon, and I don't have to enter it a second time.
I have gnome-keyring working in the gentoo install. It's saved my Nextcloud credentials, and unlocks it on boot. It also seems to be able to see my ssh keys. To test if gpg2 was able to talk to gnome-keyring-daemon I created a quick key using "--quick-key-gen", and this key was saved to gnome-keyring.
The problem is that the authinfo.gpg passphrase isn't being saved to the gnome-keyring when after entering them using pinentry.
Some possibly relevant info about my environment: I use OpenRC with elogind, not systemd. I'm using sway window manger.
I have tried a bunch of things but nothing is working yet:
- I have set 'use-agent' in gpg.conf. I don't have to do any configuration to gpg.conf or gpg-agent.conf on debian.
- I export GPG_TTY=$(tty)
- I set GPG_AGENT_PID and GPG_AGENT_INFO using some script I found on stack overflow. No effect. I still wonder if environment variables might be to blame though.
- an hour ago I discovered that I did not have the gnome-keyring USE flag set for pinentry, which I was sure was the issue, but sadly it didn't seem to help.
- I set the debug level of gpg-agent to high and watched what it did. Did not see any clues.
I am probably forgetting other things I've tried, but it's been a long day!
I have a feeling it has something to do with an improperly set USE flag or environment variables.
If anyone can offer any help or guidance whatsoever I would be really grateful.
Last edited by sunox on Thu Mar 03, 2022 8:22 pm; edited 1 time in total |
|
Back to top |
|
|
sunox Tux's lil' helper
Joined: 26 Jan 2022 Posts: 136
|
Posted: Wed Jan 26, 2022 5:21 am Post subject: |
|
|
I found a solution. If I use pinentry-gtk (which I didn't have compiled before) then the pinentry secrets are saved to gnome-keyring. I guess gnome-keyring requires the gui pinentry? Thought I would share in case anyone else is having the same issue. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Wed Jan 26, 2022 4:10 pm Post subject: |
|
|
Thank you for posting the solution. In the non-working configuration, what pinentry was used for the password that was then not saved? Was the same pinentry also used for passwords that were saved successfully? |
|
Back to top |
|
|
sunox Tux's lil' helper
Joined: 26 Jan 2022 Posts: 136
|
Posted: Wed Jan 26, 2022 7:10 pm Post subject: |
|
|
I tried both pinentry-curses and pinentry-tty, using both Emacs and my terminal emulator. The passwords that I entered using pinentry-{tty,curses} worked, but they were only saved to gnome-keyring when I entered them using pinentry-gtk. pinentry-gtk has a checkbox that says something like "save password in password manager" which is maybe what does the trick.
This morning Emacs continued to prompt me for the authinfo.gpg passphrase in the minbuffer (I believe using pinentry-tty) when I tried to send an email. I think this is because I still had a line in my Emacs config saying to do pinentry using loopback, but I'm not positive. The important thing though is that it did not save anything to gnome-keyring.
I thought that, on my Debian install when I entered passwords using pinentry-{tty,curses} that it saved to the keyring. However, I just cleared my keyring and then called gpg2 to unlock authinfo.gpg, and I see that I am prompted by pinentry-gtk. So my guess is that this is an issue with these packages in general and not in their Gentoo implementation. Just a guess though. Strangely, I could not find any indication online anywhere that you need pinentry-gtk to get passwords to save to the keyring. You would think that others wold have encountered this issue as the gtk flag is not default for pinentry.
Hopefully that answers your question, but if not then please let me know. Happy to provide more info. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Wed Jan 26, 2022 7:43 pm Post subject: |
|
|
I'm not personally impacted by this, but I am curious why you are getting the results you do. Given that you have a solution and it appears not to be a Gentoo-specific problem, I don't know that it's worth spending much of your time digging deeper. If I had to guess, somehow your -gtk version delegates to the gnome keyring, but the -curses version delegates to a short-lived gpg-agent. I don't know why they would behave differently. Perhaps the -gtk version can delegate to gnome keyring through some X11 window trickery, and the -curses version, being unable or unwilling to use the X server as an intermediary, cannot access gnome keyring. |
|
Back to top |
|
|
sunox Tux's lil' helper
Joined: 26 Jan 2022 Posts: 136
|
Posted: Wed Jan 26, 2022 11:45 pm Post subject: |
|
|
The passphrases entered using -curses and -tty were being cached in the short-lived gpg-agent, thought I'm not sure exactly where those cached entries lived -- possibly in ~/.gnupg/.
To put the 'is it gentoo?' matter to rest I forced pinentry-curses on my Debian install, and it's not saving the passphrase to the gnome-keyring either. Very strange, and frankly this seems like a bug to me but what do I know. I wonder why it's not at least a configuration option in pinentry-curses. |
|
Back to top |
|
|
|