Bug 894019

Summary: Support GPGv2
Product: [Fedora] Fedora Reporter: Dennis van Dok <dennisvd>
Component: sigulAssignee: Patrick Uiterwijk <puiterwijk>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: icon, ktdreyer, luigiwalser, parsonsa, trailtotale
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-09 11:23:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 637902    
Bug Blocks: 1308754    

Description Dennis van Dok 2013-01-10 14:34:54 UTC
Description of problem:
importing an existing key from a file hangs up the client; the server gets stuck running gpg-agent and pinentry-curses processes.

Version-Release number of selected component (if applicable):
0.97-1.el6

How reproducible:
Need to set up client/bridge/server on CentOS 6

Steps to Reproduce:
1. set up a basic system according to the README
2. generate a gpg key on the client
3. export the gpg key to a file mykey.gpg
4. import the key to sigul with sigul import-key mykey mykey.gpg
   enter the passphrase of the key on the prompt, and a new passphrase twice.
  
Actual results:
no response; client doesn't return

Expected results:
client returns with result code

Additional info:

After lots of stracing, debugging, etc. we found that when gpg decides that it needs a passphrase to edit the key, it won't call back the _ChangePasswordResponder but rather start a gpg-agent, which in turn invokes a pinentry program because it needs a passphrase. 

The mail thread starting at http://lists.gnupg.org/pipermail/gnupg-users/2012-September/045414.html seems to suggest that this is by design since gnupg2, and there is no remedy for this other than to revert to using gnupg1 until gnupg2 implements the use of the agent feature pinentry-method=loopback.

As gnupg1 is not available on RHEL6 this issue breaks sigul on that platform.

Comment 1 Miloslav Trmač 2013-01-10 14:51:26 UTC
*** Bug 894021 has been marked as a duplicate of this bug. ***

Comment 2 Miloslav Trmač 2013-01-10 14:56:34 UTC
Thanks for your report.

I'm afraid there is no supported solution at this time.  gnupg2/gpgme just don't provide the necessary functionality (which is tracked as #637902).

The Fedora deployment uses a gnupg1 package and sigul modified to use it, see http://people.redhat.com/mitr/rpmsigner/rhel6/ .

Comment 3 Dennis van Dok 2013-01-11 13:23:05 UTC
Thanks for the quick response. The gnupg1 package works fine.

Best,

Dennis

Comment 4 Ken Dreyer 2013-02-21 22:20:23 UTC
Hi Miloslav,

So it sounds like gnupg would need to be branched for EPEL 6 in order to match what runs in Fedora infra?

Comment 5 Miloslav Trmač 2013-02-22 08:04:49 UTC
Yes, that would be an option, if you want to do so. I didn't want to commit to full/general maintenance of gnupg1 in EL6.

Comment 6 Fedora End Of Life 2013-04-03 19:33:49 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 7 Fedora End Of Life 2015-01-09 22:03:04 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Fedora End Of Life 2015-11-04 15:43:51 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Miloslav Trmač 2015-11-04 17:24:47 UTC
The blocking bug is closed WONTFIX, no immediate v2 solution in sight AFAIK. It can be made to work with GPG v1 (unset GPG_AGENT_INFO and DISPLAY).

Comment 10 Fedora Admin XMLRPC Client 2016-08-09 14:55:27 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 11 Patrick Uiterwijk 2016-10-01 22:00:48 UTC
I am now working on full support with GPGv2, and will use this bug to track progress.

In gpg>=2.1 there is now a loopback pinentry method supported, however, RHEL6 and RHEL7 only have gpg 2.0, which does not have this support.

Instead, I am thinking of making a custom pinentry tool, and use a GPG configuration that tells the agent to use that for getting the passphrase.
In the same agent configuration, all caching will be disabled, and we will send a manual kill signal after every request.

This pinentry would get a token via PINENTRY_EXTRA that it would submit to a unix socket owned by sigul server.
Upon receiving the correct token, the server will provide the passphrase.

Comment 12 Fedora End Of Life 2016-11-24 10:53:54 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 13 Fedora End Of Life 2016-12-20 12:33:01 UTC
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 14 Patrick Uiterwijk 2017-01-03 11:55:41 UTC
This is still in progress.

Comment 15 Patrick Uiterwijk 2020-06-09 11:23:49 UTC
This is now fixed in Sigul v1.0, of which Alpha 1 is now released and built in Rawhide.