Bug 662770 - gpg --gen-key fails if pinentry GUI is not installed.
Summary: gpg --gen-key fails if pinentry GUI is not installed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pinentry
Version: 6.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Boris Ranto
QA Contact: Martin Žember
URL:
Whiteboard:
Depends On:
Blocks: 1075802 1159820
TreeView+ depends on / blocked
 
Reported: 2010-12-13 20:17 UTC by Jeff Laughlin
Modified: 2019-07-23 10:07 UTC (History)
10 users (show)

Fixed In Version: pinentry-0.7.6-7.el6
Doc Type: Bug Fix
Doc Text:
Cause: The auto-detection of pinentry to-be-run binary failed in few cases. Consequence: The pinentry wrapper tried to launch pinentry-gtk even if it was not installed. Fix: Update the pinentry wrapper to handle the corner cases better and fall back to pinentry-curses in this case. Result: The pinentry wrapper falls back to pinentry-curses in this case.
Clone Of:
: 1231229 (view as bug list)
Environment:
Last Closed: 2015-03-30 08:09:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0755 normal SHIPPED_LIVE pinentry bug fix update 2015-03-30 12:08:52 UTC

Description Jeff Laughlin 2010-12-13 20:17:27 UTC
Description of problem:
gpg --gen-key fails if pinentry GUI is not installed.

Version-Release number of selected component (if applicable):
RHEL 6 beta 2
gnupg2-2.0.14-3.el6.i686
pinentry-0.7.6-5.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. yum erase pinentry-gtk 'pinentry-qt*'
2. gpg --gen-key
  
Actual results:
[jlaughlin@rtukickstart www]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
                              
Please select what kind of key you want:
   (1) RSA and RSA (default)  
   (2) DSA and Elgamal        
   (3) DSA (sign only)        
   (4) RSA (sign only)        
Your selection?               
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)         
Key does not expire at all    
Is this correct? (y/N) y      
                              
GnuPG needs to construct a user ID to identify your key.
                              
Real name: foobar             
Email address: foobar         
Not a valid email address     
Email address: foo@bar.com    
Comment:                      
You selected this USER-ID:    
    "foobar <foo@bar.com>"    
                              
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
                              
can't connect to `/home/jlaughlin/.gnupg/S.gpg-agent': No such file or directory
/usr/bin/pinentry: line 22: xprop: command not found
Please install pinentry-gui   
gpg-agent[17004]: can't connect server: ec=4.16383
gpg-agent[17004]: can't connect to the PIN entry module: End of file
gpg-agent[17004]: command get_passphrase failed: No pinentry
gpg: problem with the agent: No pinentry
gpg: Key generation canceled. 
[jlaughlin@rtukickstart www]$

Expected results:
Key generation.

Additional info:
It does work if I install pinentry-gtk.

Comment 2 Tomas Mraz 2010-12-13 20:34:11 UTC
Do you have $DISPLAY set?

Does 'export PINENTRY_BINARY="/usr/bin/pinentry-curses"' work as a workaround?

Comment 3 Jeff Laughlin 2010-12-16 00:53:22 UTC
Yes it does, thanks. The curses interface appears, takes my password, and gpg moves on to key generation as expected.

Comment 4 RHEL Product and Program Management 2011-01-07 15:38:10 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 6 Suzanne Yeghiayan 2012-02-14 23:05:20 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 7 Tomas Mraz 2012-06-13 07:54:50 UTC
This should be solved in the pinentry helper to use the ncurses interface if the GUI is not installed even if the $DISPLAY is set if running on a terminal.

Comment 8 Stanislav Ochotnicky 2012-06-13 09:54:10 UTC
It should be noted however that such behaviour trades convenience for security. That is because an X window provided by GTK/QT pinentries is able to grab input globally, whereas pinentry-curses is not. It would be therefore possible for a malicious application to hijack and record passphrase being given to pinentry curses in X terminal.

Moreover pinentry has no simple way to know if it's being run on a terminal or not. That is because gnupg redirects stdin/out of child pinentry process into a pipe. There are a few partial solutions and/or workarounds:

1. Manually set PINENTRY_BINARY as was suggested above (or set it in ~/.gnupg/gpg-agent.conf)
2. Install graphical pinentry if you are using X11 forwarding
3. Unset DISPLAY prior to working with gnupg over SSH
4. It would certainly help if gnupg tested that pinentry works in the beginning of any action which might require pinentry input. This would help users avoid having to go through filling in information only to be told in the end that it failed during last step. But this is not directly related to this bug

Comment 9 Tomas Mraz 2012-06-13 10:15:10 UTC
Stanislav, feel free to close this bug as WONTFIX or NOTABUG given the available workarounds.

Comment 10 Stanislav Ochotnicky 2012-06-13 14:26:45 UTC
There are workarounds, however users are repeatedly hitting this issue so some improvement for handling this situation should be found. 

There should certainly be a better way for gnupg to handle pinentry failure in a more informative way. "No pinentry" is extremely frustrating message when you know you have pinentry installed. Same goes for using gnupg in graphical applications. It can result in silent failures where there is no clear message for the user (i.e. he/she will not even see the "Please install pinentry-gui"). This falls under things which should obviously be handled with upstream though.

Comment 23 Daniel Johnson 2015-01-13 20:09:09 UTC
While helping a customer with this issue we were still unable to get pinentry-curses to work, and eventually were led to a bug that prevents pinentry-curses from working if you are su'd instead of properly logged in as the end user:
  https://bugs.g10code.com/gnupg/issue1391

Customer was running RHEL v6.5 x64.  pinentry v0.7.6-6 and gnupg2 v2.0.14-6.

Comment 26 Boris Ranto 2015-02-02 14:29:17 UTC
@Daniel: I was able to hit that issue but unlike the report that you referenced I could not reproduce it when su'd to root. I had to be su'd to another regular user for it to reproduce. However, this has got nothing to do with this issue so feel free to open a separate bz for the issue.

Comment 29 errata-xmlrpc 2015-03-30 08:09:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0755.html


Note You need to log in before you can comment on or make changes to this bug.