Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key

Thomas Glanzmann thomas at glanzmann.de
Thu Jul 21 08:00:36 CEST 2016 

Hello Niibe,

* NIIBE Yutaka <gniibe at fsij.org> [2016-07-21 04:24]:
> What do you mean by the term "prepopulate"?

Use they GPG key once on the workstation, so that the private key is
unlocked in memory of the GPG agent or at least the PIN/transport key is
available.

> In this message, I explain standard pinentry (not loopback mode).

Thank you for the explanation, it helped me understanding and debug gpg-agent.

> ======================== .gnupg/gpg-agent.conf
> debug-level guru
> debug-all
> log-file /tmp/gpg-agent.log

> Prepare the file, and type following command line:

>   $ gpg-connect-agent RELOADAGENT /bye

Okay, thanks to that I got to the bottom of it, so now comes the crazy
part: I use gpg-agent forwarding, like the following:

gpg-agent is running on workstation and uses a graphical pinentry.
(workstation) [~] ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent remote

The remote machine sends the DISPLAY location over gnupg agent
forwarding. Than my local machine appears to try to start pinentry with
the display location of the remote machine, which of course fails
because on the remote machine my DISPLAY=localhost:10, on the local
machine it is DISPLAY=:0 and there is no DISPLAY=localhost:10. The
pinentry locally fails and I'm never asked for a PIN. To fight the
symptoms, I can unset DISPLAY before invoking gpg2 or mutt/gpgme. Btw.
now works for everything, 'gpg2 -d' and mutt/gpgme as long as I unset
DISPLAY. From my point of view gpg-agent should ignore any DISPLAY
settings coming over the unix socket, because it already knows the
DISPLAY location. And after reading the gpg-agent documenation there is a
'keep-display' and 'keep-tty' option. This option only works with completely
restarting the gpg-agent, 'RELOADAGENT' is not sufficient. But anyway that
solves my problem. So thanks a lot to help me to get to the bottom of it and
better understand how gpgme, gpg2, and gpg-agent works.

TLDR:
Remote machine sent local DISPLAY over forwarded gpg agent, local gpg-agent
tried to use the remote DISPLAY location locally which failed, as a result
pinentry could not ask me for the PIN.

To correct the configuration problem, I did:
echo 'keep-display' >> ~/.gnupg/gpg-agent.conf
echo 'keep-tty' >> ~/.gnupg/gpg-agent.conf

And had to restart gpg-agent. RELOADAGENT is insufficient. Afterwards the
DISPLAY location from the remote machine is ignored. And the correct local
DISPLAY location is used.

Cheers,
        Thomas

More information about the Gnupg-users mailing list