gpgsm issueing two concurrent passphrase requests fails

Alfred Ganz alfred-ganz+gpg at agci.com
Sun Aug 3 23:43:43 CEST 2014 

Bernhard,

On Thursday 10 July 2014 at 21:28:41, Alfred Ganz wrote:
> ? gpgsm --import ssh-key.p12
> and it is after this command there exists a hanging pinentry.

I am sorry to make this complicated, here is the sequence of
commands that I did in various windows:
  openssl req -new -x509 -key <ssh-key-file> -out ssh-cert.pem
  openssl pkcs12 -export -in ssh-cert.pem -inkey <ssh-key-file> -out ssh-key.p12
separate window:
  gpg-agent --csh --no-detach --debug-level basic --daemon > ~/.gpg-agent-info
  source ~/.gpg-agent-info
yet another window:
  source ~/.gpg-agent-info
  gpgsm --import ssh-key.p12
This last command will need both a passphrase to unprotect the PKCS#12 
object, and later one to open my secret key to import the new key.

I did it both with just plain /usr/bin/pinentry-curses as well as
/usr/bin/pinentry-gtk-2, the effect was the same in both cases.

Also, I have done what failed with gpgsm (GnuPG) 2.0.14 and gpg-agent 
(GnuPG) 2.0.14 successfully under gnupg-1.4.5-14.el5_5.1 and 
gnupg2-2.0.10-3.el5_5.1. Note that in the earlier system the passphrases
were entered via interactive keyboard prompt.

I think your hypothesis is correct, but only for one of the two 
pinentries, which puzzles me because one of pintries works just fine.
Looking at the gpg-agent debug output in the attachment to my first 
message (Jul  9 01:16:25 2014), what seems to happen is that one
pinentry invocation is nicely set up (it will be used later and works!),
but then the second pinentry invocation, which isn't set up like the 
first one, tries to get the passphrase for the PKCS#12 object and fails. 
Note that after getting rid of the hung pinentry, we actually proceed to 
get the passphrase of the secret key, but of course the PKCS#12 hasn't
been unprotected, and so everything fails. Since I don't really
understand what is going on, can you tell me where each of the pinentry
request originates?

Can you please tell me with what debug options you would like me to run
the above commands, and where to send the results, I will be glad to
try to get it done.

Thanks for your help, AG

-- 
 ----------------------------------------------------------------------
   Alfred Ganz					alfred-ganz:at:agci.com
   AG Consulting				(203) 624-9667
   440 Prospect Street # 11
   New Haven, CT 06511
 ----------------------------------------------------------------------

More information about the Gnupg-devel mailing list