graphical pinentry no longer working after upgrading to debian bullseye and pinentry and how to resolve it
Thomas Glanzmann
thomas at glanzmann.de
Sun Nov 29 08:24:11 CET 2020
Hello,
I just upgraded to Debian bullseye and the graphical pinentry did not work
anymore. I got the following error message:
2020-11-28 21:37:41 gpg-agent[3535] DBG: connection to PIN entry established
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 -> INQUIRE PINENTRY_LAUNCHED 3633 gtk2:curses 1.1.0 - - -
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 <- END
2020-11-28 21:37:41 gpg-agent[3535] DBG: error calling pinentry: Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] failed to unprotect the secret key: Inappropriate ioctl for device
2020-11-28 21:37:41 gpg-agent[3535] failed to read the secret key
2020-11-28 21:37:41 gpg-agent[3535] command 'PKDECRYPT' failed: Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 -> ERR 83918950 Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 <- [eof]
I did the following to resolve the issue:
- Installed pinentry-gnome3 because that for one of two systems
dis resolve the issue for me without anything else below. I
also installed pinentry-gnome3 because it grabs the keyboard,
deinstalled any other pinentry (like gtk2 which does not grab
the keyboard, if you have focus follows mouse on fvwm2)
apt install -y pinentry-gnome3 dbus-x11
- Added the following to my .xsession. This is necessary because in
bullseye gpg-agent seems to be started by systemd sometimes without
the correct display set
gpg-connect-agent UPDATESTARTUPTTY /bye
- gpg.conf (just to have a fully working example):
keyserver hkp://pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
cert-digest-algo SHA512
no-greeting
lock-once
default-key <key>
encrypt-to <key>
keyid-format 0xlong
use-agent
with-fingerprint
quiet
default-recipient-self
no-secmem-warning
keyserver-options auto-key-retrieve
no-auto-check-trustdb
trust-model direct
no-autostart
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
- gpg-agent.conf (I tried here a lot in the old days I had keep-display
and keep-tty and restarted gpg-agent in my .xsession. that does not work
anylonger becuase systemd seems to start gpg-agent. What also
worked was calling pinentry using a wrapper script which
sets the DISPLAY variable explicitly, but this gives me more
flexibility, not that I need it. Because I always enter my
passphrase using X11 on system I'm sitting in front of)
enable-ssh-support
default-cache-ttl 34560000
max-cache-ttl 34560000
default-cache-ttl-ssh 34560000
max-cache-ttl-ssh 34560000
allow-mark-trusted
With the above setup the following works:
- gpg locally
gpg -d test.gpg
- gpg as ssh-agent
ssh remotesystem
- gpg remotely
ssh -A -R /home/sithglan/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra remotesystem gpg -d test.gpg
- sshfs using gpg as ssh-agent:
# automounter sshfs
apt-get install sshfs autofs
echo '/ssh /etc/auto.sshfs --timeout=60' >> /etc/auto.master
cat > /etc/auto.sshfs <<'EOF'
#!/bin/bash
echo -e "-fstype=fuse,rw,nodev,noatime,allow_other,ssh_command=/usr/local/sbin/ssh_sshfs / sshfs\#${1}:/"
EOF
cat > /usr/local/sbin/ssh_sshfs <<'EOF'
#!/bin/bash
if [ "${UID}" == 0 ]; then
exec /usr/bin/sudo -H -u sithglan $0 "$@"
fi
export LOCALDOMAIN="glanzmann.de gmvl.de cs.fau.de"
source ~sithglan/.ssh/env
exec /usr/bin/ssh "$@"
EOF
chmod +x /etc/auto.sshfs /usr/local/sbin/ssh_sshfs
/etc/init.d/autofs restart
Tripwires:
- nsswitch.conf: automount: files
- 'echo export SSH_AUTH_SOCK=${SSH_AUTH_SOCK} > ~/.ssh/env'
Feedback, improvement and explanations welcome.
Cheers,
Thomas
More information about the Gnupg-users
mailing list