Description of problem:
gpg --gen-key fails if pinentry GUI is not installed.
Version-Release number of selected component (if applicable):
RHEL 6 beta 2
Steps to Reproduce:
1. yum erase pinentry-gtk 'pinentry-qt*'
2. gpg --gen-key
[jlaughlin@rtukickstart www]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: foobar
Email address: foobar
Not a valid email address
Email address: firstname.lastname@example.org
You selected this USER-ID:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
can't connect to `/home/jlaughlin/.gnupg/S.gpg-agent': No such file or directory
/usr/bin/pinentry: line 22: xprop: command not found
Please install pinentry-gui
gpg-agent: can't connect server: ec=4.16383
gpg-agent: can't connect to the PIN entry module: End of file
gpg-agent: command get_passphrase failed: No pinentry
gpg: problem with the agent: No pinentry
gpg: Key generation canceled.
It does work if I install pinentry-gtk.
Do you have $DISPLAY set?
Does 'export PINENTRY_BINARY="/usr/bin/pinentry-curses"' work as a workaround?
Yes it does, thanks. The curses interface appears, takes my password, and gpg moves on to key generation as expected.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
This should be solved in the pinentry helper to use the ncurses interface if the GUI is not installed even if the $DISPLAY is set if running on a terminal.
It should be noted however that such behaviour trades convenience for security. That is because an X window provided by GTK/QT pinentries is able to grab input globally, whereas pinentry-curses is not. It would be therefore possible for a malicious application to hijack and record passphrase being given to pinentry curses in X terminal.
Moreover pinentry has no simple way to know if it's being run on a terminal or not. That is because gnupg redirects stdin/out of child pinentry process into a pipe. There are a few partial solutions and/or workarounds:
1. Manually set PINENTRY_BINARY as was suggested above (or set it in ~/.gnupg/gpg-agent.conf)
2. Install graphical pinentry if you are using X11 forwarding
3. Unset DISPLAY prior to working with gnupg over SSH
4. It would certainly help if gnupg tested that pinentry works in the beginning of any action which might require pinentry input. This would help users avoid having to go through filling in information only to be told in the end that it failed during last step. But this is not directly related to this bug
Stanislav, feel free to close this bug as WONTFIX or NOTABUG given the available workarounds.
There are workarounds, however users are repeatedly hitting this issue so some improvement for handling this situation should be found.
There should certainly be a better way for gnupg to handle pinentry failure in a more informative way. "No pinentry" is extremely frustrating message when you know you have pinentry installed. Same goes for using gnupg in graphical applications. It can result in silent failures where there is no clear message for the user (i.e. he/she will not even see the "Please install pinentry-gui"). This falls under things which should obviously be handled with upstream though.
While helping a customer with this issue we were still unable to get pinentry-curses to work, and eventually were led to a bug that prevents pinentry-curses from working if you are su'd instead of properly logged in as the end user:
Customer was running RHEL v6.5 x64. pinentry v0.7.6-6 and gnupg2 v2.0.14-6.
dist-git commits related to build pinentry-0.7.6-7.el6:
@Daniel: I was able to hit that issue but unlike the report that you referenced I could not reproduce it when su'd to root. I had to be su'd to another regular user for it to reproduce. However, this has got nothing to do with this issue so feel free to open a separate bz for the issue.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.