--pinentry-mode loopback with --delete-secret-keys
Closed, ResolvedPublic

Description

Hello,

the --pinentry-mode loopback doesn't work with --delete-secret-keys, it ends with error "gpg: deleting secret key failed: No pinentry" even if with --export-secret-keys is processed without any issues and passphrase is requested directly in command line

Example:

$ gpg2 --pinentry-mode loopback -a --export-secret-keys F4433F96910C9AC1FEF65A7299A5538C769B6150
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2

lQPGBFnnSl4BCADd1wEBR7xcxBMMEmnQh7WzYe8q1f4meaBY+wes+RVyO6MZogzv
...
kr57Ty7Pvu0jrohVJeVJKJf9e82tbzzQBYldVDW4HTWUkJYBnoDFydt/+HoKJgvn
iA==
=ONaf
-----END PGP PRIVATE KEY BLOCK-----

$ gpg2 --pinentry-mode loopback --delete-secret-keys F4433F96910C9AC1FEF65A7299A5538C769B6150
gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa2048/99A5538C769B6150 2017-10-18 Box B6FD1270D93C <box-cert@survilla.net>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
gpg: deleting secret key failed: No pinentry
gpg: deleting secret subkey failed: No pinentry
gpg: F4433F96910C9AC1FEF65A7299A5538C769B6150: delete key failed: No pinentry

This is a problem if I am connected to remote machine and need to remove secret key from keyring.

homolkao created this task.Oct 24 2017, 3:04 PM
werner triaged this task as Normal priority.Oct 24 2017, 3:07 PM
werner added a subscriber: werner.

gpg-agent sometimes pops up confirmation dialogs. This can't yet be handled with the loopback pinentry. Try gpg option --batch.

Unfortunately --batch option doesn't help, it only suppresses user input.

$ gpg2 --pinentry-mode loopback --batch --delete-secret-keys F4433F96910C9AC1FEF65A7299A5538C769B6150
gpg: deleting secret key failed: No pinentry
gpg: deleting secret subkey failed: No pinentry
gpg: F4433F96910C9AC1FEF65A7299A5538C769B6150: delete key failed: No pinentry

GPG pinentry works well on my Gnome desktop (wellformated form appear) but I have a problem when I need remove secret key (enter passphrase) on remote machine via SSH.
It can be handled with --export why not with --delete-secret-keys?
Is there some fix already? Or roadmap this will be fixed? Or some workaround how can I remove secret key remotely via SSH?

gniibe claimed this task.Wed, May 29, 5:30 AM
gniibe added a subscriber: gniibe.

I wrote a patch in a topic branch: rG108c22c9c50a: g10,agent: Support CONFIRM for --delete-key.
I think that gpg-agent side,

  • agent/call-pinentry.c: This part is good
  • agent/command.c: I wonder if use of status for passing the information of prompt is good or not

Perhaps, we need an improvement in

  • g10/call-agent.c: how to ask user, by cpr_* function with no keyword is good?
  • Currently, only using DESC
  • Only applying to DELETE_KEY command
  • Can be applied also to:
    • PKSIGN
    • PKDECRYPT

I also experienced this issue while testing my --delete-secret-key patches. Passing --pinentry-program /usr/bin/pinentry-tty to the gpg-agent worked around it.

gniibe closed this task as Resolved.Tue, Jun 4, 2:24 AM