Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key

NIIBE Yutaka gniibe at fsij.org
Thu Jul 21 04:21:49 CEST 2016

On 07/20/2016 05:06 PM, Thomas Glanzmann wrote:
> I have yubikey 4 plugged into my Laptop, than I use ssh to forward my
> gpg agent socket to a remote machine, On the remote machine I start mutt
> and would like to read an encrypted email using the RSA encryption key
> stored on my yubikey. It works if I use gpg2 to enter the pin by opening
> an encrypted file using the same encryption key. Mutt does _not_ prompt
> me to enter the pin for the smartcard. I assume that code is missing in
> mutt to prompt for the key. Is there any documentation or another
> possible simple example how to obtain that so that I can write a patch
> for mutt?
> My mutt config:
> set crypt_use_gpgme=yes
> The mutt error messages are:
> Could not decrypt PGP message
> Could not copy message
> When I prepopulate using the remote machine:
> PGP message successfully decrypted.

What do you mean by the term "prepopulate"?  Do you invoke
"gpg --card-edit" command line, to invoke the
subcommand "verify"?

In this message, I explain standard pinentry (not loopback mode).

It is gpg-agent which invokes pinentry.  It is not the client program
of gpgme.

Here are steps and the interaction.

(1) here are the processes
                  ^--- possibly by forwarded socket

(2) A client program (Mutt, in your case) asks decryption through gpgme

(3) it goes to scdaemon


(4) if the token is not authenticated yet,
    scdaemon asks a user PIN back through gpg-agent
                               "PIN please"

(5) Then, gpg-agent invokes pinentry.

(6) pinentry pops up GUI dialog window to user.
  User <----[pinentry]----/

(7) User inputs PIN by the dialog.
  User ---->[pinentry]----/



(8) scdaemon sends the pin to the token to authenticate.

(9) Token is ready to decrypt, now.
    scdaemon sends encrypted message to the token.

(10) token replies back by decrypted message.... to gpgme.




You can configure gpg-agent to emit debug message to file.
Here is an example configuration

======================== .gnupg/gpg-agent.conf
debug-level guru
log-file /tmp/gpg-agent.log
 (or /run/user/<UID>/gpg-agent.log )

Prepare the file, and type following command line:

  $ gpg-connect-agent RELOADAGENT /bye

Then, try to decrypt.  You can figure out the place where thing's
going wrong.

It sounds for me that gpg-agent fails in the step (5) in the figure
above, for some reason.

I have an experience pinentry-gnome3 fails soon after it is execed,
while pinentry-gtk works well.  In some cases, we need to update
environment variable of gpg-agent (like DBUS_SESSION_BUS_ADDRESS and
DISPLAY) to notify change of terminal/desktop, so that gpg-agent will be
able to spawn pinentry on the particular terminal/desktop.  The
command line to update the envvars is:

  $ gpg-connect-agent UPDATESTARTUPTTY /bye

Well, I fixed a bug of UPDATESTARTUPTTY, and it is in 2.1.14.

More information about the Gnupg-users mailing list