Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key

NIIBE Yutaka gniibe at fsij.org
Thu Jul 21 04:21:49 CEST 2016


On 07/20/2016 05:06 PM, Thomas Glanzmann wrote:
> I have yubikey 4 plugged into my Laptop, than I use ssh to forward my
> gpg agent socket to a remote machine, On the remote machine I start mutt
> and would like to read an encrypted email using the RSA encryption key
> stored on my yubikey. It works if I use gpg2 to enter the pin by opening
> an encrypted file using the same encryption key. Mutt does _not_ prompt
> me to enter the pin for the smartcard. I assume that code is missing in
> mutt to prompt for the key. Is there any documentation or another
> possible simple example how to obtain that so that I can write a patch
> for mutt?
> 
> My mutt config:
> 
> set crypt_use_gpgme=yes
> 
> The mutt error messages are:
> Could not decrypt PGP message
> Could not copy message
> 
> When I prepopulate using the remote machine:
> PGP message successfully decrypted.

What do you mean by the term "prepopulate"?  Do you invoke
"gpg --card-edit" command line, to invoke the
subcommand "verify"?


In this message, I explain standard pinentry (not loopback mode).

It is gpg-agent which invokes pinentry.  It is not the client program
of gpgme.

Here are steps and the interaction.

(1) here are the processes
 [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
                  ^--- possibly by forwarded socket

(2) A client program (Mutt, in your case) asks decryption through gpgme
       decrypt
 [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]

(3) it goes to scdaemon
               decrypt
 [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]

                              decrypt
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(4) if the token is not authenticated yet,
    scdaemon asks a user PIN back through gpg-agent
                               "PIN please"
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]


(5) Then, gpg-agent invokes pinentry.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
            [pinentry]<---/

(6) pinentry pops up GUI dialog window to user.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User <----[pinentry]----/

(7) User inputs PIN by the dialog.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User ---->[pinentry]----/
        PIN

 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          ^
            [pinentry]----/
                      PIN

                                PIN
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(8) scdaemon sends the pin to the token to authenticate.
                                              PIN
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(9) Token is ready to decrypt, now.
    scdaemon sends encrypted message to the token.
                                              decrypt
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(10) token replies back by decrypted message.... to gpgme.
                                            decrypted
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]

                                decrypted
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]

                 decrypted
 [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]

       decrypted
 [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]


You can configure gpg-agent to emit debug message to file.
Here is an example configuration

======================== .gnupg/gpg-agent.conf
debug-level guru
debug-all
log-file /tmp/gpg-agent.log
 (or /run/user/<UID>/gpg-agent.log )
========================

Prepare the file, and type following command line:

  $ gpg-connect-agent RELOADAGENT /bye

Then, try to decrypt.  You can figure out the place where thing's
going wrong.

It sounds for me that gpg-agent fails in the step (5) in the figure
above, for some reason.

I have an experience pinentry-gnome3 fails soon after it is execed,
while pinentry-gtk works well.  In some cases, we need to update
environment variable of gpg-agent (like DBUS_SESSION_BUS_ADDRESS and
DISPLAY) to notify change of terminal/desktop, so that gpg-agent will be
able to spawn pinentry on the particular terminal/desktop.  The
command line to update the envvars is:

  $ gpg-connect-agent UPDATESTARTUPTTY /bye

Well, I fixed a bug of UPDATESTARTUPTTY, and it is in 2.1.14.
-- 



More information about the Gnupg-users mailing list