Arch Linux

This is my gpg-agent.conf

pinentry-program /usr/bin/pinentry-curses
pinentry-timeout 60
# no-grab
allow-loopback-pinentry
allow-emacs-pinentry
default-cache-ttl 5400
default-cache-ttl-ssh 5400
max-cache-ttl 10800
max-cache-ttl-ssh 10800
enable-ssh-support
ssh-fingerprint-digest SHA256

It's very simple and I don't think it could lead to gpg-agent core dumps with new libgcrypt.

https://www.gnupg.org/download/git.html -> Please do a local debug build to catch the segfault and then report a gdb BT to the
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel list (I'm subscribed).

Hi.

Could you give some hints how to do that? How I should make debug build? I tried to build gnupg locally with additional option --enable-npth-debug (the only one in configure with debug in it), rest are the same as in PKGBUILD, copied gpg-agent and gpg into /usr/bin and ran

gdb gpg-agent
(gdb) run

(in other terminal window)

gpg -s --clearsign -b COPYING

but got nothing. In gdb I see

(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[87090]: no gpg-agent running in this session
[Inferior 1 (process 87090) exited with code 02]
(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[87094]: no gpg-agent running in this session
[Inferior 1 (process 87094) exited with code 02]

so I assume it doesn't run under gdb, for gpg I see

gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: Warning: using insecure memory!
gpg: using "647A5683B8913D2B" as default secret key for signing
gpg: signing failed: End of file
gpg: COPYING: clear-sign failed: End of file

https://wiki.archlinux.org/index.php/Debug_-_Getting_Traces#Compilation_settings

Build a local package libgcrypt and maybe also gnugp with these debug options.
Then try to reproduce the segfault from within gdb and cat the BT. Post the "bt full"
output to the gcrypt-devel mailing list.
"free(): invalid pointer" should be fixed in libgcrypt. The backtrace should show the
source.

I'm afraid that didn't help. I built libgcrypt and gnupg in that order with options 'debug', '!strip' but I didn't see any difference.

To be sure I tried to figure out how gpg-agent is run. I remembered that when I want to sign a file I have to enter password in pinentry-curse program only once, the next file is signed without asking a password. Now I see pinentry-curses window every time and gpg couldn't sign a file.

Before to run gpg-agent in gdb I checked that it isn't run already

$ ps aux | grep gpg | grep -v grep

Then I run gpg-agent in gdb:

$ LANG=en_US.UTF-8 gdb /usr/bin/gpg-agent
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gpg-agent...
(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[313185]: no gpg-agent running in this session
[Inferior 1 (process 313185) exited with code 02]
(gdb)

I see that gpg-agent is run under gdb:

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.2 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent

Now I run gpg on a file

$ LANG=en_US.UTF-8 gpg -s --clearsign -b PKGBUILD
gpg: Warning: using insecure memory!
gpg: using "647A5683B8913D2B" as default secret key for signing
gpg: signing failed: End of file
gpg: PKGBUILD: clear-sign failed: End of file

After that I see only gpg-agent

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.0 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent

While entering password in pinentry-curses window in other terminal I ran

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.1 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent
vladimir 313229 0.0 0.0 11612 5352 pts/3 S+ 17:57 0:00 gpg -s --clearsign -b PKGBUILD
vladimir 313232 0.0 0.0 81096 236 ? Ssl 17:57 0:00 gpg-agent --homedir /home/vladimir/.gnupg --use-standard-socket --daemo

If I try to run gpg again I would be asked to enter password again. That makes me feel that I see the same problem though I don't see coredump in gdb and bt and bt full returns "No stack".

As gpg-agent is run by systemd with --supervised option I tried that as well

$ gdb /usr/bin/gpg-agent
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gpg-agent...
(gdb) run --supervised
Starting program: /usr/bin/gpg-agent --supervised
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent (GnuPG) 2.2.27 starting in supervised mode.
no LISTEN_PID environment variable found in --supervised mode (ignoring)
no LISTEN_FDS or LISTEN_FDNAMES environment variables found in --supervised mode (assuming 1 active descriptor)
Fatal: file descriptor 3 must be valid in --supervised mode if LISTEN_FDNAMES is not set
[Inferior 1 (process 313322) exited with code 02]
(gdb)

but got the same result.

I run all tests in a container, systemd-nspawn, if that matters.

For me gpg-agent doens't segfault here.

Try as user or root "gdb"
"exec /usr/bin/gpg-agent --supervised"
after the crash "bt full" should shot the backtrace with helpfull output.

You will probably get faster help posting to the devel mailing list.

Hello.

Yes, that frustrating, I don't know why gpg-agent is working that way (it "crashes" but I only see this in systemctl log, I couldn't make it works under gdb or don't detach itself from terminal). I could imagine that might be somehow connected with the fact that my hosts running linux-ck kernel (ok, not all, two running linux-zen kernels but these are VPSes) but I don't understand why it works fine with old version of libgcrypt. I would suspect that 1.9.0 version introduces some incompatibility (despite the fact that news message says about API and ABI compatibility).

Besides, when I ran

$ gdb exec /usr/bin/gpg-agent --supervised

gdb said it didn't recognize '--supervised' option (as I understand, all options to a program must be passed to 'run' command in gdb). Without '--supervised' gdb says that it doesn't know what 'exec' is (no wonder, it is shell builtin).

I finally managed to subscribe to gcrypt-devel ML and will continue there. I'll report any findings here.

Hi.

NIIBE Yutaka on libgcrypt-devel mailing list provided a patch for libgcrypt. After applying it and rebuilding both libgcrypt and gnupg (in that order) I now have working gnupg.

Applied the proposed upstream patch from mailing list to 1.9.0-2 - please test if gnupg-agent now works or if gnupg requires a rebuild.

It works! I tested on one of my "work" hosts and gnupg signed file successfully.

P.S. Seems that I screwed up a bit on other host where I tested libgcrypt with applied patch because I had to rebuild and gnupg too.