You are not logged in.
- Topics: Active | Unanswered
#51 2023-03-12 16:12:16
- 3beb6e7c46a615a
- Member
- Registered: 2021-03-27
- Posts: 165
Re: Constant prompts about trusting Root CA after gnupg update
I see. You previously said that gpgsm is started by systemd, and it apparently uses the `--server` flag, so it's presumably a persistent gpgsm process. Can you check whether gpgsm appears in "systemctl --user status"? If so, take note of the unit name and run "systemctl --user status $UNIT_NAME".
Also, try to set the following options in ~/.gnupg/gpgsm.conf:
log-file /home/Termy/gpgsm.log
debug-level expertThis should (I don't know if --logger-fd perhaps overrides --log-file) log a lot into the given log file; this will not point to the cause directly, but it should at least tell you what exactly gpgsm is doing.
Offline
#52 2023-03-14 07:58:09
- Termy
- Member
- Registered: 2019-11-06
- Posts: 43
Re: Constant prompts about trusting Root CA after gnupg update
Ok, so downgrade to 2.2.40 really doesn't bring the prompts up, update to 2.2.41 brings them up exactly 60min after reboot.
I've not looked in detail in the (very lenghty) expert-debug logs, but what jumps to my eye pretty much at the beginning is this difference:
2.2.40:
2023-03-13 11:33:38 gpgsm[46942] DBG: chan_7 -> MARKTRUSTED xxx S /CN=GlobalSign/OU=GlobalSign Root CA - R3/O=GlobalSign
2023-03-13 11:33:38 gpgsm[46942] DBG: chan_7 <- ERR 67141739 Die Operation ist nicht erlaubt <GPG Agent>
2023-03-13 11:33:38 gpgsm[46942] DBG: get_keygrip for public key2.2.41:
2023-03-14 08:50:40 gpgsm[20858] DBG: chan_7 -> MARKTRUSTED xxx S /CN=GlobalSign/OU=GlobalSign Root CA - R3/O=GlobalSign
2023-03-14 08:50:40 gpgsm[20858] DBG: chan_7 <- INQUIRE PINENTRY_LAUNCHED 20861 qt 1.2.1 - - :0 - 1000/984 0
2023-03-14 08:50:40 gpgsm[20858] DBG: chan_7 -> END
2023-03-14 08:50:50 gpgsm[20858] DBG: chan_7 <- ERR 83886179 Verarbeitung wurde abgebrochen <Pinentry>
2023-03-14 08:50:50 gpgsm[20858] Interaktives vertrauenswürdig-Markieren ist in dieser Sitzung ausgeschaltet
2023-03-14 08:50:50 gpgsm[20858] DBG: get_keygrip for public keyat line 47. Before and after that it looks pretty identical on first glance.
I'll check the other points later when i have more time.
Offline
#53 2023-03-14 09:39:34
- seth
- Member
- Registered: 2012-09-03
- Posts: 50,957
Re: Constant prompts about trusting Root CA after gnupg update
There're not much changes between 2.2.40 and 2.2.41
https://dev.gnupg.org/rGd9271d594b5b81c … 67390e83a5 / gpgsm
https://dev.gnupg.org/rG6ba5b6b85451ef6 … 551e11b97b / gpgagent
look related to the above (and are the only changes in those parts)
https://dev.gnupg.org/rG6ba5b6b85451ef6 … 551e11b97b would have thrown a EPERM from gpg agent and this would indeed very much suggest that there has been a bug that got fixed by random chance while addressing a windows-specific problem…
You could try to build gnupg w/ that patch reverted, https://wiki.archlinux.org/title/Arch_Build_System
Offline
#54 2023-03-15 08:12:50
- 3beb6e7c46a615a
- Member
- Registered: 2021-03-27
- Posts: 165
Re: Constant prompts about trusting Root CA after gnupg update
Seeing the commit seth found you could try to create an empty trustlist.txt file and see if the prompt starts appearing in 2.2.40 as well. But it would probably not add much: I tend to agree with seth that the log indicates that the absence of prompts was not intended behaviour, and that you're now seeing the correct behaviour from gnupg. However, you could take your situation and the detailed log to the gnupg issue tracker to have this confirmed (or fixed if it turns out to be a bug after all).
All the more I think the best way for you to deal with these unwanted prompts is to just disable the user trustlist.
I had hoped that the gpgsm log provides some indication (some kind of user agent) of the calling application, but apparently it doesn't, so figuring out what makes (presumably) kmail try to mark CA certificates trusted every hour may be tedious. If disabling the user trust list works for you it just may not be worth the effort…
Offline
#55 2023-03-15 08:49:24
- Termy
- Member
- Registered: 2019-11-06
- Posts: 43
Re: Constant prompts about trusting Root CA after gnupg update
Yeah, i tend to agree that this might be a solved bug and the event that causes it may lie far in the past (an older S/MIME-Mail for example...) and be tedious to find.
I might open an gnupg issue to be sure, but first i want to test your suggestions around an empty trustlist and maybe a bisect...i just have to find time for that ^^
Thanks to you both anyway!
Offline