gpg-agent/pinentry: How to verify calling application

Peter Lebbing peter at
Wed Jul 19 11:50:29 CEST 2017

On 19/07/17 00:10, Hartmut Knaack wrote:
>[...], I checked with ps aux:
> me        2486  0.0  0.0  34028  3940 ?        SL   21:46   0:00 gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- -&14
> And pstree outputs:
> systemd---systemd---gpg2

Hah, that's not helpful, thanks, systemd! All we've learned is that
whatever is invoking gpg2 is using systemd for that, I suppose. Well,
*that* narrows it down! Perhaps you can find something with journalctl,
which allows you to read systemd logs, I dunno. I'm still pretty new to
the systemd world. I do intend to learn.

I never use pstree, I use ps's "f" (forest) option. Does that show the
same thing? If you just add the "f" to your options, it would be ps
faux, sounds French fake but will work :-). Is there anything
informative in the full command line of those systemd processes?

> When hitting cancel on that pinentry window, I get another window, stating
> that kwallet wants to get access to my private key.

That is a lot more informative. I believe kwallet is the credential
manager for KDE, keeping passwords and stuff.

I've got two guesses:

1) At some point you permitted kwallet to encrypt all your credentials
using your OpenPGP key. It is simply trying to decrypt your "wallet" so
it can be accessed.

2) It wants to add your private key to its credentials and manage it for
you from now on.

1) is pretty benign and actually cool, 2) might not be to your liking at
all. Personally, my neck hair rises remembering the way gnome-keyring
"interacted" with GnuPG back in the day. This is water under the bridge
now, gnome-keyring is a fine citizen again these days, and I thank them
for that.

However, I don't know kwallet other than its basic function. I hope my
contribution helps you along, small as it is.



PS: I just had a similar thing the other day where an ssh-agent was
launched against my will, but it had no parents at all in the process
tree! Cost me a long time of fruitless bug hunting until I thought of
replacing /usr/bin/ssh-agent with a shell script that logged "ps fx"
output at the moment it was invoked, when it still had a parent. Then
everything went quickly from there on.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170719/b39fe37b/attachment-0001.sig>

More information about the Gnupg-users mailing list