Page MenuHome GnuPG
Create Task
Maniphest T7522

pinentry started with invalid DBUS_SESSION_BUS_ADDRESS when invoked by gpg running in flatpak container
Closed, ResolvedPublic
Actions

Description

It appears that the addition of DBUS_SESSION_BUS_ADDRESS to the list of standard environment variables automatically passed from the client to gpg-agent (added by T3947) causes a regression for environments where the client does not have correct information about the environment in which pinentry will be launched.

An example of such an environment is an application running in a Flatpak container. When gpg is invoked from inside the container, its environment will contain DBUS_SESSION_BUS_ADDRESS=/run/flatpak/bus. This DBUS address is only valid within the container, but it will be passed to the gpg-agent running on the host system. pinentry is then launched by the agent on the host system with the same DBUS address in the environment and will fail to connect to DBUS, thereby failing to prompt the user for their pin.

This issue has been reported in the linked bug report (for Mozilla Thunderbird Flatpak) [1] [2] and also on the gnupg-users mailing list (for Evolution Flatpak) [3]. It is likely that any Flatpak application that packages gpg and communicates with a gpg-agent running on the host will experience this issue.

Steps to reproduce, without using Flatpak:

  • Install gpg >= 2.3.0
  • Create a signing key protected by a password
  • Configure gpg-agent to use pinentry-gnome3
pinentry-program /usr/bin/pinentry-gnome3
  • Simulate running gpg with an invalid DBUS_SESSION_BUS_ADDRESS in the environment:
DBUS_SESSION_BUS_ADDRESS=/run/flatpak/bus gpg --sign --armor
  • pinentry-gnome3 is unable to connect to DBUS and so cannot prompt the user in their graphical environment. In this example, pinentry is able to fall back to the curses prompt in the terminal, but when running from inside a Flatpak, this fallback is not available and so no prompt is displayed to the user at all.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1931862
[2] https://github.com/flathub/org.mozilla.Thunderbird/issues/287
[3] https://lists.gnupg.org/pipermail/gnupg-users/2025-February/067500.html

Details

External Link
https://bugzilla.mozilla.org/show_bug.cgi?id=1931862
Version
2.4.7, master

Revisions and Commits

rG GnuPG
rG7a472525169a agent: New option --change-std-env-name.

Related Objects

Event Timeline

samoverton created this task.Feb 9 2025, 1:57 AM
samoverton added a comment.Feb 9 2025, 4:45 AM

My proposed solution is to add a config variable pinentry-ignored-env to gpg-agent which specifies a comma-separated list of environment variables which should not be passed from the client to pinentry.

Patch:

https://lists.gnupg.org/pipermail/gnupg-devel/2025-February/035782.html

An alternate solution might be to make configurable the whole static list of environment variables that can be passed from client to agent, instead of hard-coding them. I avoided this approach since several of these variables already have custom logic associated with them, so it would require a more delicate change.

ikloecker added a subscriber: ikloecker.Sun, Feb 9, 8:14 PM

It's pretty ironic that we added DBUS_SESSION_BUS_ADDRESS because of pinentry-gnome3 and now we need to add an option to remove it because of pinentry-gnome3.

Given that we added DBUS_SESSION_BUS_ADDRESS for the special use case of someone manually launching a separate DBUS session (T3947) it seems more sensible to me to not pass DBUS_SESSION_BUS_ADDRESS unless explicitly configured with an option even if this causes a regression for those few who do use a separate DBUS session. Or is launching a separate DBUS session a common thing on Gnome?

samoverton added a comment.Mon, Feb 10, 1:48 AM

it seems more sensible to me to not pass DBUS_SESSION_BUS_ADDRESS unless explicitly configured with an option

Yes, I'm happy either way. I think it just needs to be configurable one way or the other, because the problem in this case is caused by the environment variable being passed no matter what.

Or is launching a separate DBUS session a common thing on Gnome?

I can't speak for every use-case but systemd.io does say the following:

Single Graphical Session

systemd only supports running one graphical session per user at a time. While this might not have always been the case historically, having multiple sessions for one user running at the same time is problematic. The DBus session bus is shared between all the logins, and services that are started must be implicitly assigned to the user’s current graphical session.
werner added a subscriber: werner.Mon, Feb 10, 4:07 PM

What about deleting the environment variable in gpg-agent:

gpg-connect-agent 'OPTION putenv=DBUS_SESSION_BUS_ADDRESS' /bye

or to use a pinentry-wrapper?

werner added projects: gpgagent, pinentry, Linux.Mon, Feb 10, 4:08 PM
samoverton added a comment.Tue, Feb 11, 4:52 PM

Yes, the workaround is to use a pinentry wrapper script that sets the value back to the correct one and then invokes the real pinentry.

I don't think that is a viable solution though, since every user of any Flatpak that packages gpg will run into this problem and the current behavior is only correct for the niche use-case where a user has multiple DBus sessions running for multiple display servers.

It would be preferable to have some way within the gpg-agent to either prevent the pass-through of this variable from the client or to default to not passing it through (imho).

werner added a comment.Wed, Feb 12, 9:12 AM

Alright, my above putenv option won't work because it modifies the session environment and thus needs to be run for each gpg-agent session (connection). Adding a putenv_startrup option would help here but this way each connection could chnage the environment - also not good. In the end a way to modify the used environment variables, as you suggested, is a better way.

werner added a commit: rG7a472525169a: agent: New option --change-std-env-name..Wed, Feb 12, 11:14 AM
werner added a comment.Wed, Feb 12, 11:15 AM

Here we go:

--change-std-env-name -name
        The  agent uses a fixed list of environment variables which are passed on to the Pinentry.  This option allows to remove variables from that list.  For example:

     change-std-env-name -DBUS_SESSION_BUS_ADDRESS
werner closed this task as Resolved.Wed, Feb 12, 11:16 AM
werner claimed this task.
werner moved this task from Backlog to Done on the pinentry board.
werner mentioned this in T7480: Release GnuPG 2.5.4.Wed, Feb 12, 12:01 PM