Page MenuHome GnuPG
Create Task
Maniphest T7459

5.0.0-beta: Pinentry crashes with 0x000007b
Open, NormalPublic
Actions

Description

Hi there,

the other day I installed the new beta and all the CLI seemed to be working fine until I tried to commit something with git. You see, I have git for Windows here and I am using gpg to authenticate myself via ssh-pageant with the git server. When git tried to call pinentry an error message box popped up (see below) telling: The application was unable to start correctly (0x000007b). Click OK to close the application.

However I am not sure if git tried to start its own pinentry (located under the virtual /usr/bin/pinentry) or if it tried the gpg one. Anyway, there seems to be some sort of incompatibility there. Works fine with gpg4win 4.4.0 though.

  • gpg4win 5.0.0-beta32
  • git for Windows 2.47.1 64bit
  • Microsoft Windows Version 10.0.22631.4460

Any thoughts would be appreciated!

Details

Version
5.0.0-beta32

Event Timeline

JanMosigItemis created this task.Dec 16 2024, 12:40 PM
werner added a subscriber: werner.EditedDec 16 2024, 3:04 PM

Jan, you please run something like

echo foo | gpg --clearsign -v --status-fd 2 >/dev/null

this should show which pinentry is used. Also, the output of

gpgconf -X

will be helpful.

werner added a project: pinentry.Dec 16 2024, 3:04 PM
JanMosigItemis added a comment.EditedDec 20 2024, 10:25 AM

Here you are:

which pinentry
/usr/bin/pinentry
echo foo | gpg --clearsign -v --status-fd 2 >/dev/null

gpg: enabled compatibility flags:
<A LOT OF UNRELATED EXPIRED SIGNING KEY WARNINGS>
[GNUPG:] KEY_CONSIDERED 6AA51DE4244871E86C62367237F0780907ABEF78 0
gpg: writing to stdout
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: No pinentry
[GNUPG:] FAILURE sign 67108949
gpg: [stdin]: clear-sign failed: No pinentrysrc/libwinpty/winpty.cc, line 924
# gpgconf -X invoked 2024-12-20 09:13:17                            -*- org -*-

* General information
** Versions
  GnuPG 2.5.2 (84e1781201489e50888c9415bb2625f9dd27cb8a)
  MingW32
  Windows 10.0 build 19045
  Libgcrypt 1.11.0
  GpgRT 1.51
  Codepages: 65001 1252 850


** Directories
#+begin_example
  sysconfdir:C%3a\ProgramData\GNU\etc\gnupg
  bindir:C%3a\<DIR>\gpg\bin
  libexecdir:C%3a\<DIR>\gpg\bin
  libdir:C%3a\<DIR>\gpg\lib\gnupg
  datadir:C%3a\<DIR>\gpg\share\gnupg
  localedir:C%3a\<DIR>\gpg\share\locale
  socketdir:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox
  dirmngr-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.dirmngr
  keyboxd-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.keyboxd
  agent-ssh-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.gpg-agent.ssh
  agent-extra-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.gpg-agent.extra
  agent-browser-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.gpg-agent.browser
  agent-socket:C%3a\Users\<USER>\AppData\Local\gnupg\d.ibosw3p9onc4e3ox\S.gpg-agent
  homedir:C%3a\Users\<USER>\.gnupg
#+end_example

** Environment
#+begin_example
PATH=C:\Users\<DIR>\bin;C:\<DIR>\git\mingw64\bin;C:\<DIR>\git\usr\local\bin;C:\<DIR>\git\usr\bin;C:\<DIR>\git\us
r\bin;C:\<DIR>\git\mingw64\bin;C:\<DIR>\git\usr\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerSh
ell\v1.0;C:\Windows\System32\OpenSSH;C:\<DIR>\gpg\bin;C:\Users\<USER>\AppData\Local\Microsoft\WindowsApps;C:\<DIR>\gpg\bin_64;C:\<DIR>\gpg\bin;C:\<DIR>\git\usr\bin\vendor_perl;C:\<DIR>\git\usr\bin\core_perl
#+end_example
* Config files

** local config "C:\Users\<USER>\.gnupg\gpg-agent.conf"
#+begin_src
  #How long should a passphrase be cached? Time unit is seconds.
  default-cache-ttl 600
  #Evict cached phrases even if they have been recently accessed.
  max-cache-ttl 600
  enable-putty-support
  enable-win32-openssh-support

#+end_src

** local config "C:\Users\<USER>\.gnupg\scdaemon.conf"
#+begin_src

#+end_src

** local config "C:\Users\<USER>\.gnupg\dirmngr.conf"
#+begin_src
  #standard-resolver
  #debug-all
  #log-file dirmngr.log

  ###+++--- GPGConf ---+++###
  allow-version-check
  keyserver hkps://keys.openpgp.org
  ###+++--- GPGConf ---+++### 05/18/18 15:08:58 Mitteleuropische Sommerzeit
  # GPGConf edited this configuration file.
  # It will disable options before this marked block, but it will
  # never change anything below these lines.

#+end_src

** local config "C:\Users\<USER>\.gnupg\gpg.conf"
#+begin_src
  # Avoid information leaks
  no-emit-version
  no-comments
  export-options export-minimal

  # Displays the long format of the ID of the keys and their fingerprints
  keyid-format 0xlong
  with-fingerprint

  # Displays the validity of the keys
  list-options show-uid-validity
  verify-options show-uid-validity

  # Limits the algorithms used
  personal-cipher-preferences AES256
  personal-digest-preferences SHA512
  default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed

  cipher-algo AES256
  digest-algo SHA512
  cert-digest-algo SHA512
  compress-algo ZLIB

  disable-cipher-algo 3DES
  #Deactivated, because there are a lot of SHA-1 based signatures out there and we still need to support them for a little wh
ile longer.
  #weak-digest SHA1

  s2k-cipher-algo AES256
  s2k-digest-algo SHA512
  s2k-mode 3
  s2k-count 65011712

  keyserver-options no-honor-keyserver-url
  keyserver-options include-revoked
#+end_src


* Other info
** Registry entries
#+begin_example

Outlook related:
  \Software\Microsoft\Office\Outlook\Addins\GNU.GpgOL:LoadBehavior
  ->3<- [hklm]
#+end_example
# eof #
werner added a comment.Dec 20 2024, 10:54 AM

gpg: [stdin]: clear-sign failed: No pinentrysrc/libwinpty/winpty.cc, line 924

(stdout and stderr are mixed.) There is no pinentry, probably because
it crashed right away. I wonder about the winpty.cc - this is not a
source file we are using and thus you should never see this message.

Given your %PATH% it seems that there is some gpg version in your git
installation which messes things up. It is not a good idea to mix
different GnuPG versions.

I also wonder about the default homedir which is not what we use on
Windows but it looks more like a Unix thing straightforward ported to
Windows without the required adjustments.

which pinentry
/usr/bin/pinentry

shows this. Does this git installation use WSDL?

My suggestion is to remove the gpg parts from git and use only the
things from Gpg4win. Changing the PATH to include the Gpg4win
installation directly earlier might be sufficient. Did you really
install Gpg4win to c:/.../gpg ? This is a uncommon and Kleopatra
might not be able to find its GnuPG version. Better go with the
standard installation directories.

JanMosigItemis added a comment.Dec 20 2024, 11:04 AM

Thanks for the comments. This is a regular git for Windows install which afaik uses mingw64. The messup with the binaries brought in by git has always been this way. I am using aliases to differentiate between the different versions. One might think that this may cause things to break, however all used to work well with 4.x versions.

FYI I tried the clearsign example on Windows cmd prompt:

echo foo | gpg --clearsign -v
gpg: enabled compatibility flags:
gpg: Hinweis: Signaturschlüssel 0x5B7CC3CB8C21B4BB ist am 2022-04-01 16:18:18 verfallen
gpg: Hinweis: Signaturschlüssel 0x5B7CC3CB8C21B4BB wurde widerrufen
gpg: Hinweis: Signaturschlüssel 0xCE17256FB5C98A0F ist am 2019-04-06 13:48:24 verfallen
gpg: Hinweis: Signaturschlüssel 0xCE17256FB5C98A0F wurde widerrufen
gpg: verwende Vertrauensmodell pgp
gpg: "0x37F0780907ABEF78" wird als voreingestellter geheimer Signaturschlüssel benutzt
gpg: Hinweis: Signaturschlüssel 0x5B7CC3CB8C21B4BB ist am 2022-04-01 16:18:18 verfallen
gpg: Hinweis: Signaturschlüssel 0x5B7CC3CB8C21B4BB wurde widerrufen
gpg: Hinweis: Signaturschlüssel 0xCE17256FB5C98A0F ist am 2019-04-06 13:48:24 verfallen
gpg: Hinweis: Signaturschlüssel 0xCE17256FB5C98A0F wurde widerrufen
gpg: der Unterschlüssel 0x1ECA0D508AA83C05 wird anstelle des Hauptschlüssels 0x37F0780907ABEF78 verwendet
gpg: Schreiben auf die Standardausgabe
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

foo
gpg: Beglaubigung fehlgeschlagen: Kein Pinentry
gpg: [stdin]: clear-sign failed: Kein Pinentry

Sorry for the german localisation but I think you'll get the gist of it.

About the install location and paths: Works like a charm + I do not use Kleopatra at all.

JanMosigItemis added a comment.Dec 20 2024, 12:06 PM

I just tried to call pinentry directly on Windows cmd prompt:

C:\>c:\<DIR>\gpg\bin\pinentry.exe

Results in the same error msg box.

aheinecke added a subscriber: aheinecke.Fri, Dec 20, 2:53 PM

Yeah that is a messed up environment mixing elf and windows binaries. There is no which on windows. It is called where. So if your terminal is able to execute which then this is some kind of Linux environment on Windows. The winpty error comes from the terminal. Please use cmd.exe for all tests.

So what could be the problem: Likely problem here is that Pinentry loads libraries from different builds. If you use a Linux terminal, install gnupg for linux in your linux environment. If you use a windows terminal use gpg4win. But mixing both is neither supported nor supposed to work.

With pinentry-qt another problem might be qt libraries which could be loaded as optional plugins and which might also belong to a different qt build. But this is another thing which will only happen in an unclean developer environment.

If you really want to debug this, I would recommend looking in event viewer to see which library causes the crash, that might give a hint and then start with cmd.exe as terminal. Clean your PATH environment variable and maybe things like QT PLUGIN PATH and and then go from there.

ikloecker added a subscriber: ikloecker.Fri, Dec 20, 3:06 PM

What components of Gpg4win other than GnuPG do you use?

JanMosigItemis added a comment.Mon, Jan 6, 9:37 AM

None. I just use the command line tools and always perform a "minimal" install. @aheinecke: I already tested it on cmd.exe. Same result. Also I do not have QT installed, or a QT_PLUGIN_PATH set up. The bottom line for me is still:

Works with 4.x, does not work with 5.x

ikloecker added a comment.Mon, Jan 6, 1:17 PM

Thanks for your feedback. Maybe the "minimal" install is missing a file. It's a beta version for a reason. We'll make sure to fix it for the stable release.

If you only need the command line tools (and GnuPG 2.4.7 is good enough for you) then you could use the "Simple installer" for Windows instead of Gpg4win. It comes with a different (simpler) pinentry program that doesn't depend on Qt.

JanMosigItemis added a comment.Mon, Jan 6, 1:30 PM

No problem. I can stay on 4.4.x. Just thought I should give the beta a try and let you guys know.

JanMosigItemis added a comment.Mon, Jan 6, 1:32 PM

FYI usually these are my install options:

Would like to deselect Kleopatra btw. :)

ikloecker added a comment.Mon, Jan 6, 2:12 PM

GpgEX requires/uses Kleopatra so that only GnuPG would be left if you could deselect Kleopatra. And that's exactly what the simple installer installs because the simple installer is included in the Gpg4win installer.

werner added a comment.Tue, Jan 7, 8:33 AM

Note that that Beta uses a 64 bit Kleopatra but the GnuPG engine was accidentally build for 32 bit. This will be fixed with the next Beta. That might increase the confusion a bit.

werner triaged this task as Normal priority.Tue, Jan 7, 8:34 AM
werner added a project: Windows.