FS#58425 - [pinentry] Unlocking openpgp secret key no longer works with pinentry 1.1.0-2

Attached to Project: Arch Linux
Opened by Gluten (gluten) - Wednesday, 02 May 2018, 06:17 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 07 May 2018, 05:12 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

I use 'pass' to manage my passwords, stored as gpg-encrypted files. pass depends on pinentry via the gnupg package. I'm also using gnome, and have libgcr-base on my system:

$ test -e /usr/lib/libgcr-base-3.so.1
(exit status 0).

I upgraded pinentry from 1.1.0-1 to 1.1.0-2 and since then I've had very high failure probabilities when trying to unlock my passphrase-protected private key so that I can decrypt my 'pass' passwords. I've tried directly calling 'gpg' instead of going through 'pass', to no avail:

$ gpg -v -d .password-store/reddit.gpg
This brings up the modal dialog that says "Please enter the passphrase to unlock the OpenPGP secret key...". Then when I type in that passphrase it fails, saying I typed it in wrong - but I'm quite confident I didn't!

What's really weird is that it still occasionally works, just fails _most_ of the time.

Filing here instead of against the gnupg or pass packages because as far as I can tell this change was correlated with upgrading pinentry.

Additional info:
* package version(s): 1.1.0-2
* config and/or log files etc.

Pass is present here: https://www.archlinux.org/packages/community/any/pass/


Steps to reproduce:
This task depends upon

Closed by  Gaetan Bisson (vesath)
Monday, 07 May 2018, 05:12 GMT
Reason for closing:  Upstream
Comment by Gluten (gluten) - Wednesday, 02 May 2018, 06:47 GMT
Update: it seems to work reliably if I enter the uppercase letters in my passphrase by toggling Caps Lock instead of holding down Shift. This might be an upstream bug?
Comment by Gaetan Bisson (vesath) - Wednesday, 02 May 2018, 07:26 GMT
More likely an issue with your Shift key.
Comment by Gaetan Bisson (vesath) - Wednesday, 02 May 2018, 07:27 GMT
Can you see if downgrading to pinentry-1.1.0-1 fixes your issues?
Comment by Jan Alexander Steffens (heftig) - Wednesday, 02 May 2018, 07:30 GMT
Or edit .gnupg/gpg-agent.conf and add "pinentry-program /usr/bin/pinentry-gtk-2", that will last.

In any case, if you use GNOME you should be using pinentry-gnome3, which communicates with the shell to show modal dialogs, which, at least on Wayland, aren't trivially interceptable.

If this isn't a problem with the hardware or some input method, it's probably an issue with the shell.
Comment by Macaroni (macaroni) - Wednesday, 02 May 2018, 17:58 GMT
Hi - OP (Gluten) here again (I forgot my password, so I made a new account).

Thanks for the quick replies, vesath and heftig!

Downgrading to pinentry-1.1.0-1 fixes the problem, probably because that defaults to using the gtk dialog instead of the Gnome/Wayland modal dialog. (And as a bonus I learnt how easy it is to downgrade packages in arch!)

I don't believe this is an issue with my physical Shift key, since I have no problems entering uppercase letters in every other typing context (such as this bug report :) ).

Do either of you have any suggestions about where I can take this bug report?

Thanks!
Comment by Doug Newgard (Scimmia) - Thursday, 03 May 2018, 01:37 GMT
We should really blacklist these throw-away mail services.
Comment by Wesley Moore (wezm) - Monday, 07 May 2018, 03:53 GMT
I encountered the same issue on two different arch installs that I had set to use pinentry-gnome3 specifically (for HiDPI support). Recently it stopped accepting my password. Changing to the Qt or GTK2 pinentry works around the problem (for now).

diff --git a/gpg-agent.conf b/gpg-agent.conf
index 5d19d34..a2449d7 100644
--- a/gpg-agent.conf
+++ b/gpg-agent.conf
@@ -1 +1 @@
-pinentry-program /usr/bin/pinentry-gnome3
+pinentry-program /usr/bin/pinentry-gtk-2
Comment by Gaetan Bisson (vesath) - Monday, 07 May 2018, 05:12 GMT
Could you report this issue upstream? This does not seem like something we can fix packaging-wise so I'll close this report for now but will be happy to backport any fix you/upstream can think of. Cheers.

Loading...