Page MenuHome GnuPG
Create Task
Maniphest T1285

gpgconf doesn't restart gpg-agent after running gpgconf with '--change-option --runtime'
Closed, ResolvedPublic
Actions

Description

Tested with gnupg 2.0.16 and an empty $GNUPGHOME dir on Debian Lenny:

$ gpg-agent --daemon
$ set GPG_AGENT_INFO ...
$ gpgsm --import x.509-certificate-chain.pem
$ gpgsm --import x.509-secret-key.p12

-> enter passphrase

Test1 - try to sign a file:
$ gpgsm --detach-sign textfile.txt
gpgsm: Das Zertifikat kann nicht zum Signieren benutzt werden
dirmngr[25652]: Fehler beim Ãffnen von
`/home/emanuel/.gnupg/dirmngr_ldapservers.conf': Datei oder Verzeichnis nicht
gefunden
dirmngr[25652]: dauerhaft geladene Zertifikate: 0
dirmngr[25652]: zur Laufzeit zwischengespeicherte Zertifikate: 0
dirmngr[25652]: Die Zwischenspeicherverzeichnisdatei
`/home/emanuel/.gnupg/dirmngr-cache.d/DIR.txt' konnte nicht geöffnet werden:
Datei oder Verzeichnis nicht gefunden
dirmngr[25652]: Das Verzeichnis `/home/emanuel/.gnupg/dirmngr-cache.d' wird erzeugt
dirmngr[25652]: Neue Zwischenspeicherverzeichnisdatei
`/home/emanuel/.gnupg/dirmngr-cache.d/DIR.txt' wurde erzeugt
dirmngr[25652]: Es ist keine CRL fÃŒr den Issuer mit der ID
4E31CEB57DDD4A7B9991AB05507B1ED4293FF952 vorhanden
dirmngr[25652]: Zertifikat wurde zwischengespeichert
dirmngr[25652]: KompatibilitÀtsmodus - Zertifikatkette nicht geprÌft!
dirmngr[25652]: Es ist keine CRL fÃŒr den Issuer mit der ID
7F2A402CBB016A9146D613568C89D3596A4111AA vorhanden
dirmngr[25652]: Zertifikat wurde zwischengespeichert
dirmngr[25652]: KompatibilitÀtsmodus - Zertifikatkette nicht geprÌft!
gpgsm: Das Wurzelzertifikat ist nicht als vertrauenswÃŒrdig markiert
gpgsm: Fingerprint=A6:93:5D:D3:4E:F3:08:79:73:C7:06:FC:31:1A:A2:CC:F7:33:76:5B
gpg-agent[25526]: command marktrusted failed: Nicht unterstÃŒtzt
gpgsm: DBG: BEGIN Certificate `issuer':
gpgsm: DBG: serial: 00
gpgsm: DBG: notBefore: 2003-06-28 14:47:37
gpgsm: DBG: notAfter: 2013-06-27 14:47:37
gpgsm: DBG: issuer: CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
gpgsm: DBG: subject: CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4
gpgsm: DBG: SHA1 Fingerprint:
A6:93:5D:D3:4E:F3:08:79:73:C7:06:FC:31:1A:A2:CC:F7:33:76:5B
gpgsm: DBG: END Certificate
gpgsm: after checking the fingerprint, you may want to add it manually to the
list of trusted certificates.
gpgsm: Interaktives vertrauenswÃŒrdig-Markieren ist in gpg-agent ausgeschaltet
gpgsm: error creating signature: Nicht vertrauenswÃŒrdig <GPG Agent>
dirmngr[25652]: LDAP Wrapper 25654 fertig
dirmngr[25652]: LDAP Wrapper 25653 fertig

Set allow-mark-trusted option of gpg-agent via gpgconf:
$ echo 'allow-mark-trusted:0:1'|gpgconf --runtime --change-options gpg-agent
gpg-agent:GPG Agent:/usr/bin/gpg-agent:1:1:
gpg-agent[25526]: SIGHUP received - re-reading configuration and flushing cache

> ~/.gnupg/gpg-agent.conf with "allow-mark-trusted" created. Ok.

Test 2 - try to sign a file again:
$ gpgsm --detach-sign textfile.txt
gpgsm: Das Zertifikat kann nicht zum Signieren benutzt werden
dirmngr[25660]: Fehler beim Ãffnen von
`/home/emanuel/.gnupg/dirmngr_ldapservers.conf': Datei oder Verzeichnis nicht
gefunden
dirmngr[25660]: dauerhaft geladene Zertifikate: 0
dirmngr[25660]: zur Laufzeit zwischengespeicherte Zertifikate: 0
gpgsm: Das Wurzelzertifikat ist nicht als vertrauenswÃŒrdig markiert
gpgsm: Fingerprint=A6:93:5D:D3:4E:F3:08:79:73:C7:06:FC:31:1A:A2:CC:F7:33:76:5B
gpg-agent[25526]: command marktrusted failed: Nicht unterstÃŒtzt
gpgsm: DBG: BEGIN Certificate `issuer':
gpgsm: DBG: serial: 00
gpgsm: DBG: notBefore: 2003-06-28 14:47:37
gpgsm: DBG: notAfter: 2013-06-27 14:47:37
gpgsm: DBG: issuer: CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
gpgsm: DBG: subject: CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4
gpgsm: DBG: SHA1 Fingerprint:
A6:93:5D:D3:4E:F3:08:79:73:C7:06:FC:31:1A:A2:CC:F7:33:76:5B
gpgsm: DBG: END Certificate
gpgsm: after checking the fingerprint, you may want to add it manually to the
list of trusted certificates.
gpgsm: Interaktives vertrauenswÃŒrdig-Markieren ist in gpg-agent ausgeschaltet
gpgsm: error creating signature: Nicht vertrauenswÃŒrdig <GPG Agent>

> Signing failed.

Expected: Allow-mark-trusted pinentry dialog should ask for do root certificate
trustable. After that: signing files should work.

Note:
This is the same problem in gpg4win 2.1.0-beta1. Kleopatra runs:
gpgconf.exe --runtime --change-options gpg-agent and
gpgconf.exe --runtime --change-options dirmngr
after user has enabled allow-mark-trusted option via Kleopatra gpgconf dialog.
But gpg-agent wasn't restart. If user kill gpg-agent process and restart
gpg-agent allow-mark-trusted pinentry comes up.

So it seems to be a problem with gpgconf?!

Details

External Link
https://issues.kolab.org/issue4563
Version
2.0.16

Event Timeline

emanuel added projects: gpgagent, gnupg, Bug Report.Sep 22 2010, 3:01 PM
emanuel set Version to 2.0.16.
emanuel added subscribers: emanuel, bernhard, werner.
werner added a comment.Sep 22 2010, 4:35 PM

What do you think

set GPG_AGENT_INFO

does. We are on a Unix box, why to you want to assign GPG_AGENT_INFO to the '_'
envvar?

Anyway, I just tested this on my system (2.0.17-svn5367; but I can't remember
any changes in this area since 2.0.16). It works without problems.
Let's try it:

With disabled option:

$ echo 'allow-mark-trusted:16:'|gpgconf --runtime --change-options gpg-agent
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1

$ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye

ERR 67108924 Not supported <GPG Agent>

Right, it is not supported. Now after enabling the option:

$ echo 'allow-mark-trusted:0:1:'|gpgconf --runtime --change-options gpg-agent
gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:

$ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye

ERR 83886179 Operation cancelled <Pinentry>

The Pinentry popped up and I clicked on Cancel. qed.

You might want to check the content of your gpg-agent.conf. For
example adding the option manually outside of the gpgconf markers may
not allow you to *disable* the option - but, right, this is not your
problem. Check anyway.

emanuel added a comment.Sep 22 2010, 5:23 PM

Sorry, the "set GPG_AGENT_INFO..." line was pasted from my windows test. My
GNU/Linux test starts of course with:

$ gpg-agent --daemon

copy output and paste:

$ GPG_AGENT_INFO=/tmp/gpg-tEpa7c/S.gpg-agent:25526:1; export GPG_AGENT_INFO;

...then continue the test of T1285 (emanuel on Sep 22 2010, 03:01 PM / Roundup).

In your test you use gpg-connect-agent to set "marktrusted <FINGERPRINT> S".

I expected (and think Kleopatra, too) that I haven't do that manually.
After enable allow-mark-trusted gpg-agent should run the "marktrusted"
automatically. I am waiting for the pinentry dialog if I start the next crypto
operation.

The gpg-agent.conf is correct and was created by gpgconf.

werner added a comment.Sep 22 2010, 5:43 PM

Please run my tests.

emanuel added a comment.Sep 23 2010, 9:21 AM

My retest with gnupg 2.0.16...

First clean my .gnupg (test) dir and then start gpg-agent:
$ eval $(gpg-agent --daemon)

  1. Option disabled: $ echo 'allow-mark-trusted:16:'|gpgconf --runtime --change-options gpg-agent gpg-agent:GPG Agent:/usr/bin/gpg-agent:1:1:

    $ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye

ERR 67108924 Nicht unterstÃŒtzt <GPG Agent>

Ok. Now enabling option:

$ echo 'allow-mark-trusted:0:1:'|gpgconf --runtime --change-options gpg-agent
gpg-agent:GPG Agent:/usr/bin/gpg-agent:1:1:

$ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye

ERR 67108924 Nicht unterstÃŒtzt <GPG Agent>

Same error with enabled option. Pinentry doesn't popped up.
Try again after reloading gpg-agent:

$ gpgconf --reload gpg-agent

$ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye

ERR 67108924 Nicht unterstÃŒtzt <GPG Agent>

Same error. Now kill and restart gpg-agent and try again:

$ kill <pid>
$ eval $(gpg-agent --daemon)

$ gpg-connect-agent 'marktrusted 1122334455667788990011223344556677889900 S

foo' /bye
ERR 83886194 Nicht bestÀtigt <Pinentry>

> That works! Pinentry popped up and I clicked on Cancel.

So what's wrong with my test or configuration?

werner added a comment.Sep 23 2010, 10:16 AM

I checked again: I can see no changes in my working copy since 2.0.16.

There is something wrong at your site; please enable logging via socket and run
the test again. Look at the output of watchgnupg to see which again is actually
used. For gpg-agent.conf use the options "debug 1024" and "verbose".

emanuel added a comment.Sep 23 2010, 11:39 AM

There seems to be a relation if gpg-agent.conf exists or not.

  1. Test failed if gpg-agent.conf is not available: $ killall gpg-agent $ rm -r ~/.gnupg/* $ eval $(gpg-agent --daemon) [test of T1285 (wk on Sep 22 2010, 04:35 PM / Roundup)]
  1. Test works correctly if there is a gpg-agent.conf created: $ killall gpg-agent $ rm -r ~/.gnupg/* $ touch ~/.gnupg/gpg-agent.conf $ eval $(gpg-agent --daemon) [test of T1285 (wk on Sep 22 2010, 04:35 PM / Roundup)] => Pinentry popped up after enabling option (like in T1285 (wk on Sep 22 2010, 04:35 PM / Roundup)).

I can save the debug output if you still needed.

emanuel added a comment.Sep 23 2010, 11:47 AM

Test works also for gpg4win 2.1.0-beta1 if created an empty file gpg-agent.conf
before gpg-agent is started:

If user enabled allow-mark-trusted (via Kleopatra) pinentry popped up directly
after close Kleo config dialog. No manually restart of gpg-agent necessary.
Thats exactly what the user expected.

thomas set External Link to https://issues.kolab.org/issue4563.Sep 23 2010, 4:59 PM
werner added a comment.Sep 24 2010, 3:10 PM

Yep, there is a bug in gpg-agent. Fixed for 2.0 in svn rev 5423. Patch for
gpg4win commited.

werner added a project: Restricted Project.Sep 24 2010, 3:10 PM
emanuel closed this task as Resolved.Sep 27 2010, 10:05 AM
emanuel removed a project: Restricted Project.

Fix confirmed. Tested with gpg4win 2.1.0-svn1569.
So resolved.