gpg/pinentry: graphical password dialog stopped working

f1rstlady · 2021-11-01 06:42:22

Hi,

when having to unlock my GPG keys, I used to enter my password in a graphical dialog. This stopped working some weeks ago when the procedure of signing emails and git commits failed with the error message 'Inappropriate ioctl for device'. I could trace back the error to pinentry, as indicated by the log of the gpg-agent:

$ journalctl --user -u gpg-agent
...
Nov 01 00:55:54 orion gpg-agent[2084]: command 'PKSIGN' failed: Inappropriate ioctl for device <Pinentry>
Nov 01 00:58:43 orion gpg-agent[5321]: Failed to lookup password for key n/224386F1D677276CB149FCCBE9035F32F02AECF2 with secret service: The name org.freedesktop.secrets was not provided by any .service files
Nov 01 00:58:43 orion gpg-agent[2084]: failed to unprotect the secret key: Inappropriate ioctl for device
Nov 01 00:58:43 orion gpg-agent[2084]: failed to read the secret key
...

Also, googling this error message brought up lots of results, almost all of which I have read. Most of them suggested to add the line

export GPG_TTY=$(tty)

to the shell initialisation script (.zshrc) to explicitly communicate the current tty, which is also pointed out on the gpg-agent man page. Doing this circumvented the problem in the terminal, but the problem still persists for graphical applications like my mail client. Another approach I tried was to add the lines

if [[ -n $DISPLAY ]]; then
    exec pinentry-qt "$@"
fi

to the file /etc/pinentry/preexec with the intent to explicitly check whether the $DISPLAY variable is set and to launch the graphical Qt version of the password dialog accordingly. This did not show any effect.

What exactly is the reason for this error? And since it worked seamlessly before, what could have triggered the error? And how can it be solved?

seth · 2021-11-01 07:52:26

cat ~/.gnupg/gpg-agent.conf

Did you check whether the the preexec script is executed at all (eg. "date >> /tmp/pin.try")?

f1rstlady · 2021-11-01 08:23:33

Here the configuration of the agent:

$ cat ~/.gnupg/gpg-agent.conf
# Keys are cached for one hour, but 12 hours at most
default-cache-ttl  3600
max-cache-ttl     43200

No, I did not check it since I did not know how. What do you want to achieve with "date >> /tmp/pin.try"? On my system, it only created the file.

Nevertheless, the problem magically disappeared after I set the pinentry program explicity via the line

pinentry-program /usr/bin/pinentry-qt

in the gpg-agent configuration, reloaded the agent, reverted this configuration and reloaded the agent again. I can now also confirm that the script is executed, since the problem reappears iff the script is removed. But I have no clue what actually changed, because I changed neither the gpg-agent config nor the script.

seth · 2021-11-01 08:46:35

What do you want to achieve with "date >> /tmp/pin.try"?

This prints the current date into the /tmp/pin.try file - the fact that it "appears" tells us that the preexec script gets called

I assume reloading the agent was the crucial bit?

The name org.freedesktop.secrets was not provided by any .service files

sounds like gpg-agent would like to invoke a dbus service (kwallet or gnome-keyring etc)
=> What kind of session/desktop environment is this?

loginctl session-status

f1rstlady · 2021-11-01 08:57:37

seth wrote:

What do you want to achieve with "date >> /tmp/pin.try"?
This prints the current date into the /tmp/pin.try file - the fact that it "appears" tells us that the preexec script gets called

Ah, you wanted to put it into the script, I did not get it before.

seth wrote:

I assume reloading the agent was the crucial bit?

I do not think so. I do not know how the agent works internally, but the problem existed for weeks in which the system was rebooted several times, hence the agent should intuitively have been reloaded also several times.

seth wrote:

The name org.freedesktop.secrets was not provided by any .service files
sounds like gpg-agent would like to invoke a dbus service (kwallet or gnome-keyring etc)
=> What kind of session/desktop environment is this?
loginctl session-status

Yes, exactly. This is expected, since I use KDE Plasma and Kwallet, but Kwallet does not implement the Freedesktop secrets service.

seth · 2021-11-01 13:34:05

the system was rebooted several times

W/ the preexec script present?

No idea whether that works, but according to https://wiki.archlinux.org/title/GnuPG#pinentry you can use https://aur.archlinux.org/packages/kwalletcli/ to use kwallet as the pinentry

f1rstlady · 2021-11-01 17:46:55

W/ the preexec script present?

Yes.

No idea whether that works, but according to https://wiki.archlinux.org/title/GnuPG#pinentry you can use https://aur.archlinux.org/packages/kwalletcli/ to use kwallet as the pinentry

Thanks! It addresses a different idea, which I do not intend to use now but is certainly helpful

Arch Linux

#1 2021-11-01 06:42:22

gpg/pinentry: graphical password dialog stopped working

#2 2021-11-01 07:52:26

Re: gpg/pinentry: graphical password dialog stopped working

#3 2021-11-01 08:23:33

Re: gpg/pinentry: graphical password dialog stopped working

#4 2021-11-01 08:46:35

Re: gpg/pinentry: graphical password dialog stopped working

#5 2021-11-01 08:57:37

Re: gpg/pinentry: graphical password dialog stopped working

#6 2021-11-01 13:34:05

Re: gpg/pinentry: graphical password dialog stopped working

#7 2021-11-01 17:46:55

Re: gpg/pinentry: graphical password dialog stopped working

Board footer