Should I mark/announce GNOME as incompatible with gpg2 for now?

Andre Heinecke aheinecke at
Thu Aug 28 16:38:51 CEST 2014


On Thursday, August 28, 2014 - KW 35 03:30:23 PM Werner Koch wrote:
> On Thu, 28 Aug 2014 12:46, stef at said:
> > It seems that you don't want gpg2 used with GNOME 3.x as is (in its
> > default configuration).
> No, I want you to change the default configuration - I told you that
> over lunch during last years FOSDEM.  This mess is going on for many
> years now and a lot of people are annoyed.  Fortunately most users of
> GnuPG's S/MIME feature are using KDE and not GNOME and thus are not
> affected by that hijacking.  With 2.1 OpenPGP users will also be
> affected and thus I escalated this issue using the new warning.

Still even if your run a mostly KDE desktop your distribution might ship the 
gnome-keyring pseudo gpg-agent and it might be started before the real gnome-

Kleopatra currently fails in the self test if gnome-keyring is hjacking the 
socket with an "error while asking gpg-agent for its version". There are 
already some bugs about this from users that do not know what is wrong.
But at least it complains. With older versions of kdepim / kleopatra you just 
get nasty unexpected errors when you try to use features which are not handled 
by your "pseudo" gpg-agent.

So I'm interested in this discussion as I should probably add a similar 
warning in the Kleopatra self test in case gnome-keyring has hijacked the 
socket as this hijacking breaks Kleopatra.

> > Should I go ahead and announce that gpg2 (version 2.0.23+) is
> > incompatible with GNOME and people should USE gnupg 1.4.x with GNOME 3.x
> The warning message says it all: GKR is hijacking the IPC between
> components of GnuPG - you don't have to mess with that!  Shall I start
> to encrypt and authenticate the IPC just to make it harder for GKR to
> mess with it - that would be a silly game.

I agree with Werner here. I feel like you want to trick users into using 
gnome-keyring when they expect to communicate with gpg-agent (With users I 
also mean other pieces of software)

From a Kleopatra standpoint I would like to see gnome-keyring packaged with a 
"breaks gnupg2" or at least the gpg-agent hijacking part should be packaged in 
a seprate package which can conflict/break with users of gnupg2 features.

It is not gnupg2 that is incompatible with gnome-keyring, it is gnome-keyring 
that deliberately breaks a large part of the feature set of gnupg2.

I mean what would you say if KWallet would set a GNOME_KEYRING_CONTROL 
environment variable to point to itself? Would you then go ahead and say gnome 
software is not compatible with a KDE Desktop or would you complain that 
KWallet breaks gnome-keyring users and should stop setting the variable?


Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140828/72d4b012/attachment.sig>

More information about the Gnupg-devel mailing list