Page MenuHome GnuPG
Create Task
Maniphest T4319

New 2017 MAC permission isues on gpg-agent
Closed, InvalidPublic
Actions

Description

I am using my colleague's MAC which is:

Darwin MacBook-Air-2.local 18.2.0 Darwin Kernel Version 18.2.0: Mon Nov 12 20:24:46 PST 2018; root:xnu-4903.231.4~2/RELEASE_X86_64 x86_64
MacBook Air (13-inch, 2017)
mojave 10.14.2

I mostly see error like this

gpg-agent[87090]: error binding socket to '/dev/shm/S.gpg-agent': No such file or directory

When I found this more complex thing from one of gnupg forums

# $Id: agents.sh 5263+fixtty 2017-06-27 23:37:42Z tglase $
#-
# Copyright © 2009, 2012, 2015, 2017, 2018
#	Thorsten Glaser <t.glaser@tarent.de>
#
# Provided that these terms and disclaimer and all copyright notices
# are retained or reproduced in an accompanying document, permission
# is granted to deal in this work without restriction, including un‐
# limited rights to use, publicly perform, distribute, sell, modify,
# merge, give away, or sublicence.
#
# This work is provided “AS IS” and WITHOUT WARRANTY of any kind, to
# the utmost extent permitted by applicable law, neither express nor
# implied; without malicious intent or gross negligence. In no event
# may a licensor, author or contributor be held liable for indirect,
# direct, other damage, loss, or other issues arising in any way out
# of dealing in the work, even if advised of the possibility of such
# damage or existence of a defect, except proven that it results out
# of said person’s immediate fault when using the work as intended.
#-
# /etc/profile.d/agents.sh (sourced by /etc/profile on Debian and derivates)
# • install gpg and ssh skeleton files
# • load gpg-agent and ssh-agent, unless already there
#
# You should comment out “use-ssh-agent” in /etc/X11/Xsession.options
# in order to use the shared per-user agent started from this script.

test -n "$USER_ID" || USER_ID=$(id -u)
mkdir -p "$HOME/.ssh" "$HOME/.gnupg"
chmod 0700 "$HOME/.ssh" "$HOME/.gnupg"

for PID_FILE in .gnupg/gpg.conf .gnupg/gpg-agent.conf .ssh/config; do
	test -s /etc/skel/$PID_FILE || continue

	# list of known MD5 hashes of templates deployed by us
	# + note the spaces at beginning and end of md5list! +
	case $PID_FILE in
	.gnupg/gpg.conf)
		_md5list=" 2b7d7e47afb59ec164cf0ab512bb4ddc c8b796ed85a79e458a564645dcf38281 d5c4f4335d1eab08bfc9afe7ab494801 e6af3b74078a49db14f2f79fa82b7d3a 1f5d00be735cd1b1a57960c0128d2368 e51c210618d7dbc93c63e456d4dd4af1 7dfefaad0f417b7f50da1d80f8f0759b 07826f04f9e3b700e0f45da360d25877 "
		;;
	.gnupg/gpg-agent.conf)
		_md5list=" e7e9b7940f07c3cb447b30da27914f8d "
		;;
	*)
		_md5list=
		;;
	esac

	if test -s "$HOME/$PID_FILE"; then
		_md5=$( (fgrep -v '$Id' "$HOME/$PID_FILE" | md5sum) 2>&1 || \
		    echo fail)
		case $_md5list in
		*\ ${_md5%% *}\ *)
			# MD5 matches, remove file
			rm -f "$HOME/$PID_FILE"
			;;
		*)
			# MD5 does not match, do not touch file
			continue
			;;
		esac
	fi

	# file does not exist or was removed by us, install template
	cp /etc/skel/$PID_FILE "$HOME/$PID_FILE"
	chmod 0600 "$HOME/$PID_FILE"
done
unset _md5
unset _md5list

PID_FILE="/dev/shm/.ssh-$USER_ID"
test -n "$SSH_AGENT_PID" || test -z "$SSH_CONNECTION" || SSH_AGENT_PID=fwd
if test -n "$SSH_AUTH_SOCK"; then
	test -S "$SSH_AUTH_SOCK" || SSH_AGENT_PID=
else
	SSH_AGENT_PID=
fi
if test -z "$SSH_AGENT_PID" && \
    test -d "$PID_FILE/." && test -O "$PID_FILE/." && \
    test -s "$PID_FILE/info" && test -O "$PID_FILE/info"; then
	chmod -R go-rwx "$PID_FILE"
	. "$PID_FILE/info"
fi
if test -z "$SSH_AUTH_SOCK" || test -z "$SSH_AGENT_PID" || \
    test \! -S "$SSH_AUTH_SOCK"; then
	unset SSH_AUTH_SOCK SSH_AGENT_PID
	eval $(ssh-agent -s)
fi
if test -d "$PID_FILE/." && test -O "$PID_FILE/."; then
	: wonderful
else
	rm -rf "$PID_FILE"
	mkdir -p "$PID_FILE" && test -d "$PID_FILE/." && \
	    test -O "$PID_FILE/." && chmod -R go-rwx "$PID_FILE" || \
	    rm -rf "$PID_FILE"
fi
if test -d "$PID_FILE/." && test -O "$PID_FILE/."; then
	rm -f "$PID_FILE/info"
	:>"$PID_FILE/info"
	chmod 0600 "$PID_FILE/info"
fi
if test -f "$PID_FILE/info" && test -O "$PID_FILE/info" &&
    test -n "$SSH_AGENT_PID" && test -n "$SSH_AUTH_SOCK"; then
	echo "SSH_AGENT_PID=$SSH_AGENT_PID" >>"$PID_FILE/info"
	echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >>"$PID_FILE/info"
	export SSH_AUTH_SOCK SSH_AGENT_PID
else
	rm -f "$PID_FILE/info"
	unset SSH_AUTH_SOCK SSH_AGENT_PID
fi

: "${GNUPGHOME:=$HOME/.gnupg}"
find_gpg_agent() {
	local PID_FILE="$GNUPGHOME/gpg-agent-info-$(hostname)"
	local mytty

	if mytty=$(tty); then
		GPG_TTY=$mytty
		export GPG_TTY
	fi

	test -d "$GNUPGHOME" || return 0
	export GNUPGHOME

	test -n "$GPG_AGENT_INFO" && test -S "${GPG_AGENT_INFO%%:*}" && \
	    gpg-agent 2>/dev/null && return 0

	unset GPG_AGENT_INFO
	if test -s "$PID_FILE"; then
		. "$PID_FILE"
		export GPG_AGENT_INFO
		test -n "$GPG_AGENT_INFO" && \
		    test -S "${GPG_AGENT_INFO%%:*}" && \
		    gpg-agent 2>/dev/null && return 0
		rm -f "$PID_FILE"
	fi

	unset GPG_AGENT_INFO
	eval $(gpg-agent --daemon --sh)
	: "${GPG_AGENT_INFO:=$GNUPGHOME/S.gpg-agent:0:1}"
	export GPG_AGENT_INFO
	if test -n "$GPG_AGENT_INFO" && test -S "${GPG_AGENT_INFO%%:*}" && \
	    gpg-agent 2>/dev/null; then
		echo "GPG_AGENT_INFO=$GPG_AGENT_INFO" >"$PID_FILE"
		return 0
	fi

	unset GPG_AGENT_INFO
	return 0
}
find_gpg_agent
unset -f find_gpg_agent

:

I manually did a tons of steps, also used few older solutions like

sudo printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > ~/.gnupg/S.gpg-agent
-bash: /Users/mysuser/.gnupg/S.gpg-agent: Permission denied

So looking at this from higher perspective, I made this work on my MAC really easily, mine is 2015 MAC. And as I look at the issue of permissions and operations not permitted the only thing I am finding is System Integrity Protection (SIP) to be able to fix the permissions of not creating the socket or agent

mkdir: /dev/shm/.ssh-0: Operation not permitted
gpg-agent[87019]: error binding socket to '/dev/shm/S.gpg-agent': No such file or directory

I hope you can help me debug this as this would be nice to get that working for the yubikey for our colleague, since :

gpg --expert --full-gen-key

was producing this all debug material

gpg: can't connect to the agent: IPC connect call failed
gpg: agent_genkey failed: No agent running
Key generation failed: No agent running

and basically the problem as a whole stands at gpg-agent not runnig and not able to be run. even though the biggest code block I mentioned is providing us this when run:

sudo ./hope.sh 
Password:
Agent pid 86997
mkdir: /dev/shm/.ssh-0: Operation not permitted
gpg-agent[87004]: error binding socket to '/dev/shm/S.gpg-agent': No such file or directory

So the agent PID is visible.
I hope I provided good information so we can get this settled once and for all.

Related Objects

Event Timeline

Cocoanino created this task.Jan 11 2019, 5:09 AM
Cocoanino created this object in space S1 Public.
gniibe lowered the priority of this task from High to Low.Feb 19 2019, 2:37 AM
gniibe added a project: MacOS.
gniibe added a subscriber: gniibe.

Your problem is apparently not an issue of upstream development of GnuPG; It is your setup script (agent.sh?) which specifies /dev/shm/SOMETHING.
Standard GnuPG never does that. We have no idea about use of /dev/shm/SOMETHING.

I think that it's better to ask "one of gnupg forums" where you got the script.

werner closed this task as Invalid.Mar 18 2019, 7:27 PM
werner mentioned this in T2203: gpgconf fail to start gpg-agent.Sep 6 2019, 5:25 PM