Page MenuHome GnuPG
Create Task
Maniphest T781

pinentry needs XAUTHORITY to connect to xserver
Closed, ResolvedPublic
Actions

Description

The gnupg system tries to transmit all relevant information from the
gnupg front-ends through the agent to the pinentry so that it can
communicate with the user. For connections to the X server, this is
currently limited to the value of the DISPLAY environment variable.
This is not quite enough, though.

X clients usually also require authorization information. This
information is usually taken from ~/.Xauthority. However, sometimes the
user uses a different file for that and indicates this with the
XAUTHORITY environment variable. If pinentry's environment has the
wrong value for XAUTHORITY it cannot connect to the X server even if
DISPLAY is set correctly.

In many cases relying on the implicit use of ~/.Xauthority works fine.
But there's at least one scenario where it isn't: Using GDM to log in and
the Debian gnupg packages.

The Debian gnupg packages install a script that is run when the user
logs in via GDM. This script starts the gpg agent if it is not yet
running and otherwise reuse the already running one. Now, at least in
some circumstances, GDM puts the authorization information into a file
in /tmp/ and sets XAUTHORITY accordingly. This variable is inherited by
the agent if it is started during login, otherwise the agent will likely
have a different and wrong value for XAUTHORITY. This means that the
agent cal only start the pinentry program if it has been started during
the same GDM login session. A reused agent cannot start pinentry
properly.

One workaround is to make sure that either the agent is always started
during login (and old agents are killed once they're no longer needed).

Event Timeline

bherzog added a project: Bug Report.Apr 10 2007, 3:18 PM
bherzog added a subscriber: bherzog.
bherzog added a comment.Apr 10 2007, 3:35 PM

Versions:
gpg 1.4.1 and 2.0.3
gpg-agent 2.0.3
pinentry-qt 0.7.2

werner added a subscriber: werner.Apr 13 2007, 2:14 PM

I need to lookup the details of the Debian script. Reusing a gpg-agent is not a
good idea IMHO.

bherzog added a comment.Oct 24 2007, 8:24 PM

The debian script (/etc/X11/Xsession.d/90gpg-agent) was changed in version
2.0.6-1 of the debian package. It now runs the X-session as a subprocess of the
gpg-agent.

marcus added a subscriber: marcus.Dec 10 2008, 7:04 PM

There is still the issue that one might in some circumstances use a different
XAUTHORITY, and it is not passed through.

Leaving this as a feature request to gnupg, although other components are
affected as well.

marcus removed a project: Bug Report.Dec 10 2008, 7:04 PM
marcus added projects: Feature Request, gnupg.
werner added a comment.Mar 2 2009, 10:50 AM

Marcus: I don't understand cour comment: XAUTHORITY is passed through since 2.0.8.

marcus added a comment.Mar 2 2009, 2:36 PM

quite right, I didn't check the code. I guess this can be closed then?

werner closed this task as Resolved.Mar 2 2009, 3:11 PM
werner claimed this task.