Should I mark/announce GNOME as incompatible with gpg2 for now?

Stef Walter stef at
Fri Aug 29 11:17:19 CEST 2014

On 28.08.2014 16:38, Andre Heinecke wrote:
> Hi,
> On Thursday, August 28, 2014 - KW 35 03:30:23 PM Werner Koch wrote:
>> On Thu, 28 Aug 2014 12:46, stef at said:
>>> It seems that you don't want gpg2 used with GNOME 3.x as is (in its
>>> default configuration).
>> No, I want you to change the default configuration - I told you that
>> over lunch during last years FOSDEM.  This mess is going on for many
>> years now and a lot of people are annoyed.  Fortunately most users of
>> GnuPG's S/MIME feature are using KDE and not GNOME and thus are not
>> affected by that hijacking.  With 2.1 OpenPGP users will also be
>> affected and thus I escalated this issue using the new warning.
> Still even if your run a mostly KDE desktop your distribution might ship the 
> gnome-keyring pseudo gpg-agent and it might be started before the real gnome-
> keyring.
> Kleopatra currently fails in the self test if gnome-keyring is hjacking the 
> socket with an "error while asking gpg-agent for its version". There are 
> already some bugs about this from users that do not know what is wrong.
> But at least it complains. With older versions of kdepim / kleopatra you just 
> get nasty unexpected errors when you try to use features which are not handled 
> by your "pseudo" gpg-agent.
> So I'm interested in this discussion as I should probably add a similar 
> warning in the Kleopatra self test in case gnome-keyring has hijacked the 
> socket as this hijacking breaks Kleopatra.
>>> Should I go ahead and announce that gpg2 (version 2.0.23+) is
>>> incompatible with GNOME and people should USE gnupg 1.4.x with GNOME 3.x
>> The warning message says it all: GKR is hijacking the IPC between
>> components of GnuPG - you don't have to mess with that!  Shall I start
>> to encrypt and authenticate the IPC just to make it harder for GKR to
>> mess with it - that would be a silly game.
> I agree with Werner here. I feel like you want to trick users into using 
> gnome-keyring when they expect to communicate with gpg-agent (With users I 
> also mean other pieces of software)
> From a Kleopatra standpoint I would like to see gnome-keyring packaged with a 
> "breaks gnupg2" or at least the gpg-agent hijacking part should be packaged in 
> a seprate package which can conflict/break with users of gnupg2 features.
> It is not gnupg2 that is incompatible with gnome-keyring, it is gnome-keyring 
> that deliberately breaks a large part of the feature set of gnupg2.

That's just semantics. As I've said, I'm not against changing this. And
else in this thread I've outlined several approaches that could be taken
to contribute such a fix.

> I mean what would you say if KWallet would set a GNOME_KEYRING_CONTROL 
> environment variable to point to itself? Would you then go ahead and say gnome 
> software is not compatible with a KDE Desktop or would you complain that 
> KWallet breaks gnome-keyring users and should stop setting the variable?

It would be awesome to finally have that done ... :) In fact we worked
on a standard API with the KWallet developers so this would be possible:

Once again, communication, working together, even a simple email, and
contributing is *way* more effective that spamming everyone with warnings.



More information about the Gnupg-devel mailing list