Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key
NIIBE Yutaka
gniibe at fsij.org
Thu Jul 21 04:21:49 CEST 2016
On 07/20/2016 05:06 PM, Thomas Glanzmann wrote:
> I have yubikey 4 plugged into my Laptop, than I use ssh to forward my
> gpg agent socket to a remote machine, On the remote machine I start mutt
> and would like to read an encrypted email using the RSA encryption key
> stored on my yubikey. It works if I use gpg2 to enter the pin by opening
> an encrypted file using the same encryption key. Mutt does _not_ prompt
> me to enter the pin for the smartcard. I assume that code is missing in
> mutt to prompt for the key. Is there any documentation or another
> possible simple example how to obtain that so that I can write a patch
> for mutt?
>
> My mutt config:
>
> set crypt_use_gpgme=yes
>
> The mutt error messages are:
> Could not decrypt PGP message
> Could not copy message
>
> When I prepopulate using the remote machine:
> PGP message successfully decrypted.
What do you mean by the term "prepopulate"? Do you invoke
"gpg --card-edit" command line, to invoke the
subcommand "verify"?
In this message, I explain standard pinentry (not loopback mode).
It is gpg-agent which invokes pinentry. It is not the client program
of gpgme.
Here are steps and the interaction.
(1) here are the processes
[gpgme]----[gpg]====[gpg-agent]----[scdaemon]
^--- possibly by forwarded socket
(2) A client program (Mutt, in your case) asks decryption through gpgme
decrypt
[gpgme]--->[gpg]----[gpg-agent]----[scdaemon]
(3) it goes to scdaemon
decrypt
[gpgme]----[gpg]--->[gpg-agent]----[scdaemon]
decrypt
[gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
(4) if the token is not authenticated yet,
scdaemon asks a user PIN back through gpg-agent
"PIN please"
[gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
(5) Then, gpg-agent invokes pinentry.
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]
|
[pinentry]<---/
(6) pinentry pops up GUI dialog window to user.
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]
|
User <----[pinentry]----/
(7) User inputs PIN by the dialog.
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]
|
User ---->[pinentry]----/
PIN
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]
^
[pinentry]----/
PIN
PIN
[gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
(8) scdaemon sends the pin to the token to authenticate.
PIN
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
(9) Token is ready to decrypt, now.
scdaemon sends encrypted message to the token.
decrypt
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
(10) token replies back by decrypted message.... to gpgme.
decrypted
[gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]
decrypted
[gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
decrypted
[gpgme]----[gpg]<---[gpg-agent]----[scdaemon]
decrypted
[gpgme]<---[gpg]----[gpg-agent]----[scdaemon]
You can configure gpg-agent to emit debug message to file.
Here is an example configuration
======================== .gnupg/gpg-agent.conf
debug-level guru
debug-all
log-file /tmp/gpg-agent.log
(or /run/user/<UID>/gpg-agent.log )
========================
Prepare the file, and type following command line:
$ gpg-connect-agent RELOADAGENT /bye
Then, try to decrypt. You can figure out the place where thing's
going wrong.
It sounds for me that gpg-agent fails in the step (5) in the figure
above, for some reason.
I have an experience pinentry-gnome3 fails soon after it is execed,
while pinentry-gtk works well. In some cases, we need to update
environment variable of gpg-agent (like DBUS_SESSION_BUS_ADDRESS and
DISPLAY) to notify change of terminal/desktop, so that gpg-agent will be
able to spawn pinentry on the particular terminal/desktop. The
command line to update the envvars is:
$ gpg-connect-agent UPDATESTARTUPTTY /bye
Well, I fixed a bug of UPDATESTARTUPTTY, and it is in 2.1.14.
--
More information about the Gnupg-users
mailing list