This one is complicated but I've been putting a lot of effort trying to debug this.
There's this web extension called gopassbridge which is a bridge that uses the browser's native messaging API to talk with [[ https://github.com/gopasspw/gopass | gopass ]] which is a password manager that uses gpg. Firefox eventually launches gopass-jsonapi listen which in turn calls gpg in order to decrypt the passwords.
Here's a link to upstream's issue:
And the steps to reproduce, copied from my own comment:
- Start a Gnome Wayland session (it could be that other wayland based WM will work).
- Start a terminal that works natively with Wayland - such as gnome-terminal.
- Run from that terminal the command env MOZ_ENABLE_WAYLAND=1 firefox.
- Go to about:support
- Use <kbd>Ctrl-F</kbd> and search for _"Window Protocol"_ to make sure native Wayland support is used - it should say wayland/drm See Arch Wiki article.
- Now try to use gopass' Web extension.
A note on step 1: I recently switched to using Wayland for my Gnome session and it occurred to me that I had to clear all dconf settings in order for it to launch - see this thread.
Launching Firefox either from an X based terminal or with env -u MOZ_ENABLE_WAYLAND firefox, even in a wayland based DE / WM, doesn't reproduce the issue. Also, launching gopass directly via gnome-terminal also doesn't reproduce the issue.
In fact, it's possible to reproduce the issue even without Firefox and the extension / gopass installed and setup. Launch a Wayland Gnome session and use Gnome's "run command" (<kbd>Alt-F2</kbd> is the default keybinding IIRC) and run there gpg --decrypt file.gpg.
In order to debug this, I run gpg-agent with these debug options enabled:
pinentry-program /home/doron/.bin/pinentry debug-pinentry debug 1024
I've also used ~/.bin/pinentry which's a script that wraps my distro's pinentry-gnome3 but logs some information about the environment.
Here's a journal log of gpg-agent with these debug flags set, given a gpg invocation inside gnome-terminal which successfully invoked pinentry-gnome3:
Here's another journal log, with a similar setup only that gpg was invoked by Firefox & gopass-jsonapi:
Here's another firefox journal log I ran when the script that called gopass also included gpg-connect-agent UPDATESTARTUPTTY /bye > /dev/null: