Ubuntu
gnupg2 package

gpgsm chain validation not working when gnome-keyring is running

Bug #952094 reported by nic-stange
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Hi everybody,

on a fresh user account (Ubuntu 11.10 x86_64), gpgsm fails to validate certificates because gnome-keyring overwrites the GPG_AGENT_INFO initially set by gpg-agent (started through /etc/X11/Xsession.d/90gpg-agent with patch from https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/743268 already applied by hand).

test@nic-desktop:~$ echo $GPG_AGENT_INFO
/tmp/keyring-EhHy5E/gpg:0:1
test@nic-desktop:~$ sudo lsof /tmp/keyring-EhHy5E/gpg
Password:
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/test/.gvfs
      Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gnome-key 11834 test 15u unix 0xffff88007c276080 0t0 27229833 /tmp/keyring-EhHy5E/gpg
test@nic-desktop:~$ LC_ALL=C gpgsm -k --with-validation > gpgsm_gnome-keyring.out 2>&1
test@nic-desktop:~$ . .gnupg/gpg-agent-info-nic-desktop
test@nic-desktop:~$ echo $GPG_AGENT_INFO/tmp/gpg-OqCLX5/S.gpg-agent:11883:1
test@nic-desktop:~$ sudo lsof /tmp/gpg-OqCLX5/S.gpg-agent
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/test/.gvfs
      Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gpg-agent 11883 test 5u unix 0xffff8800b8534d00 0t0 27228418 /tmp/gpg-OqCLX5/S.gpg-agent
test@nic-desktop:~$ LC_ALL=C gpgsm -k --with-validation > gpgsm_gpg-agent.out 2>&1
test@nic-desktop:~$
(see attached tar for the output files)

Unfortunately, the agent built into the gnome-keyring doesn't seem to support all the certificate types/operations/whatever needed by gpgsm cert validation.
I verfified this (actually tracked it down) with a debugger:
gnupg-2.0.18/sm/certchain.c:1308
istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL, rootca_flags);
always returns GPG_ERR_UNSUPPORTED_CERT

I don't know if it is possible to disable gnome-keyring's gpg-agent part.
I chose to assign this bugreport to gpgsm instead of to gnome-keyring since gnome-keyring is kind of default on an Ubuntu system and I believe that an 'apt-get install gpgsm' should just work.

[nic] ~ % lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
[nic] ~ % LC_ALL=C apt-cache policy gpgsm
gpgsm:
  Installed: 2.0.17-2ubuntu2
  Candidate: 2.0.17-2ubuntu2
  Version table:
 *** 2.0.17-2ubuntu2 0
        500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status
[nic] ~ % LC_ALL=C apt-cache policy gnupg2
gnupg2:
  Installed: 2.0.17-2ubuntu2
  Candidate: 2.0.17-2ubuntu2
  Version table:
 *** 2.0.17-2ubuntu2 0
        500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status
[nic] ~ % LC_ALL=C apt-cache policy gnupg-agent
gnupg-agent:
  Installed: 2.0.17-2ubuntu2
  Candidate: 2.0.17-2ubuntu2
  Version table:
 *** 2.0.17-2ubuntu2 0
        500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status
[nic] ~ % LC_ALL=C apt-cache policy gnupg
gnupg:
  Installed: 1.4.11-3ubuntu1
  Candidate: 1.4.11-3ubuntu1
  Version table:
 *** 1.4.11-3ubuntu1 0
        500 http://de.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status
[nic] ~ %
This system had been upgraded to oneiric from natty once. Let me know if you need some more information.

Best,

Nicolai

Revision history for this message
nic-stange (nic-stange) wrote :
Revision history for this message
nic-stange (nic-stange) wrote :

Removing
/etc/xdg/autostart/gnome-keyring-gpg.desktop
makes gnome-keyring not to overwrite GPG_AGENT_INFO with its own stuff. But I don't know how to do this on a per-user basis.

Revision history for this message
Michael Bienia (geser) wrote :

Copy /etc/xdg/autostart/gnome-keyring-gpg.desktop to ~/.config/autostart/gnome-keyring-gpg.desktop and add
X-GNOME-Autostart-enabled=false
to it.

You could disable it per-user with "gnome-session-properties" but as this .desktop file has a "NoDisplay=true" entry, you don't see it there. (If you remove the NoDisplay line from your copy of that file, you can enable/disable it with gnome-session-properties)

Revision history for this message
nic-stange (nic-stange) wrote :

Works like a charm! Thank you so much!

Since it took me days to track this problem down, its solution should be documented somewhere (in connection with the "Unsupported certificate" message). I would prefer the gpgsm manpage or /usr/share/doc/gpgsm/Readme.Debian (and of course all the Ubuntu Wikis around).

There is not APTish way to make things just work on installation of gpgsm, I guess?

Rolf Leggewie (r0lf)
Changed in gnupg2 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.