Created attachment 164117 [details] truss of gpg-agent talking with pinentry Scenario: symmetric encryption of a file (asymmetric encryption not tested, probably affected, too) case A: When running as root: root@uhura:/tmp # gpg -c somefile Enter passphrase Passphrase: Please re-enter this passphrase Passphrase: root@uhura:/tmp # result is as expected: somefile.gpg is on disk as encrypted file case B: When running as user with non-root priveleges: % gpg -c somefile gpg: problem with the agent: End of file gpg: error creating passphrase: Operation cancelled gpg: symmetric encryption of 'somefile' failed: Operation cancelled % console/messages shows: kernel: pid 9717 (pinentry-tty), uid 2002: exited on signal 11 trussing the gpg-agent while talking with pinentry shows, that 1. pinentry starts up 2. they do some handshaking and parameter exchange 3. pinentry dies after receiving "GETPIN" see truss snippet attached with best regards
Sorry, forgot to mention: FreeBSD uhura 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 gnupg installed with pkg install
Hi, I have a similar crash using gpg2 to create a private key using a command like gpg2 --full-gen-key The command ends with: ... Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to agent established gpg: agent_genkey failed: End of file Key generation failed: End of file and dmesg/logs show: pid 1278 (pinentry-tty), uid 0: exited on signal 11 truss and ktrace show that pinentry dies during transaction with gpg-agent. It's 10.2-RELEASE-p9, running pinentry and gnupg installed from pkg. Same results with locally compiled pinentry port.
(In reply to patpro from comment #2) and I forgot to mention: it happens when I run the command as root
10.2 RELEASE is gone. Is this still a problem? or overcome by events.
hi, this is still a problem for non-root user on a newer system: 11.0-RELEASE-p15 amd64 host user 53 (~/tmp): gpg -c xxx gpg: Warning: using insecure memory! gpg: problem with the agent: End of file gpg: error creating passphrase: Operation cancelled gpg: symmetric encryption of 'xxx' failed: Operation cancelled host user 54 (~/tmp): tail /var/log/messages Jan 10 14:28:01 host kernel: pid 1138 (pinentry-tty), uid 2002: exited on signal 11 host user 54 (~/tmp): pkg info -d gnupg gnupg-2.2.4: pinentry-1.0.0_3 libksba-1.3.5 libgpg-error-1.27 libgcrypt-1.8.2 libassuan-2.5.1 gnutls-3.5.16 indexinfo-0.3.1 readline-7.0.3_1 npth-1.5 gettext-runtime-0.19.8.1_1 sqlite3-3.21.0_1
11.0 is no longer supported; you'll need to upgrade to 11.1. That said, it works for me: [adamw@apnoea ~] id uid=1002(adamw) gid=1002(adamw) groups=1002(adamw),0(wheel) [adamw@apnoea ~] uname -a FreeBSD apnoea.adamw.org 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #0: Fri Dec 8 21:49:15 MST 2017 root@apnoea.adamw.org:/usr/obj/usr/src/sys/ASSISTCONTROL amd64 [adamw@apnoea ~] pkg info gnupg | head -1 gnupg-2.2.4 [adamw@apnoea ~] man sh > output [adamw@apnoea ~] gpg -c output gpg: /home/adamw/.gnupg/gpg.conf:206: obsolete option "no-use-agent" - it has no effect gpg: Warning: using insecure memory! [adamw@apnoea ~] Which pinentry ports do you have installed? I'm wondering if there's something odd in your gpg.conf. You might try resetting it to default and see if that works for you.
hi, another test with FreeBSD 11.1 p4 amd64 installed from scratch and a fresh installed gnupg (via pkg install gnupg) now works as expected: gpg -c file encrypts the file. This issue now can be closed. A note for others coming to this bug report having similar issues: My assumption is that a missing/broken package dependency in gnupg caused this bug. People having the missing package installed "by accident" did not see the bug. During tests I have seen that the installation of gnupg installs more dependend packages than on a fresh 11.0 or ealier system.
Glad to hear it works for you. I'm closing this bug, but I'm concerned about your reference to an extra package. If you find out which package it is, send me an email or open a PR for it.
I have come across this issue today, well I think its the same issue. On my host system, I have installed gnupg, created some keys, works fine. Exported those keys, imported into a jail, and when I try to import the secret key, with: >> gpg --allow-secret-key-import --import -v ~/mygpgkey_sec.gpg The second secret key import gives this error: >> gpg: Warning: using insecure memory! >> gpg: sec rsa4096/E0108CA4B11481 2018-05-01 FreeBSD server <luke@s.com> >> gpg: pub rsa4096/E0108CA4B11481 2018-05-01 FreeBSD server <luke@s.com> >> gpg: key E0108CA4B1148132: "FreeBSD server <luke@s.com>" not changed >> gpg: key E0108CA4B1148132/E0108CA4B114: secret key imported >> gpg: pinentry launched (34423 tty 1.0.0 ? ? ?) >> gpg: key E0108CA4B114/B5EA89265E982A: error sending to agent: End of file >> gpg: Total number processed: 1 >> gpg: unchanged: 1 However, it worked fine on the host system, and this same import routine works on another machine. I can only assume this is because this jail doesn't have the missing package that is required to fix the issue (as it isn't listed as a dependency). I have tried installing with pkg install and via ports. I have tried as root and a normal user, but this is either the same issue where I have a missing dependency, or something else, but reading the above I believe it to be the former.
If I prefix my import with a >> killall gpg-agent And then try and run the import I get: >> gpg --allow-secret-key-import --import -v gpg_keys/freebsd_sec.gpg >> gpg: Warning: using insecure memory! >> gpg: directory '/home/luke/.gnupg' created >> gpg: keybox '/home/luke/.gnupg/pubring.kbx' created >> gpg: sec rsa4096/E0108CA4B1148 2018-05-01 FreeBSD server <luke@s.com> >> gpg: pub rsa4096/E0108CA4B1148 2018-05-01 FreeBSD server <luke@solentwholesale.com> >> gpg: /home/luke/.gnupg/trustdb.gpg: trustdb created >> gpg: using pgp trust model >> gpg: key E0108CA4B1148132: public key "FreeBSD server <luke@s.com>" imported >> gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent' >> gpg: waiting for the agent to come up ... (5s) >> gpg: connection to agent established >> gpg: key E0108CA4B1148/E0108CA4B1148: secret key imported >> gpg: pinentry launched (95385 tty 1.0.0 ? ? ?) >> gpg: key E0108CA4B1148/B5EA89265E98: error sending to agent: End of file >> gpg: Total number processed: 1 >> gpg: imported: 1 >> gpg: secret keys read: 1 So I know I am talking to the agent, but get an error sending to the agent.
For future googlers, if you ever end up here, its most likely that in order to use gpg in a jail, you need to create the follwing entry in ~/.gnupg/gpg-agent.conf >> allow-loopback-pinentry And then for every gpg command you run, you need to prefix it with: >> gpg --pinentry-mode loopback <other options> E.g. >> gpg gpg --pinentry-mode loopback -d my_file.gpg >> Results here
I'm experiencing this problem on FreeBSD 12.0. I've opened an issue in the pot jail framework repository (https://github.com/pizzamig/pot/issues/71) but it looks like it is a jail issue in general.
I was able to get gpg-agent to show me a proper password prompt in mutt after I changed the devfs rule set to use: > devfs -m /mount/point/of/your/jail/dev rule -s 4 applyset