Nixpkgs: gpg path of pinentry listed by nixos is not installed ...
Describe the bug
gpgconf indicate that pinentry is not installed, so it's not possible to encrypt or decrypt using gpg
To Reproduce
Steps to reproduce the behavior:
1 - My configuration.nix
services.openssh.enable = true;
programs.ssh.startAgent = false;
programs.gnupg.agent.pinentryFlavor = "curses";
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true; };
2- my .gnupg folder contain
gpg.conf
use-agent
empty gpg-agent.conf
3 - run
systemctl --user restart gpg-agent
gpgconf --reload gpg-agent
4 - see the process
[root@arkham:~/.gnupg]# ps aux | grep gpg-agent
2285 root 0:00 /nix/store/76dkq6ahwc32amdbbypmfsdvjkh1ab82-gnupg-2.2.23/bin/gpg-agent --supervised --pinentry-program /nix/store/shw8mdjaiv0gbgzzv5sbnw2g0vjvpkg0-pinentry-1.1.0-curses/bin/pinentry
5 - see the problem (1)
[root@arkham:~/.gnupg]# gpgconf --check-programs
gpgconf: error running '/nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/pinentry': probably not installed
[root@arkham:~]# ls /nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/
addgnupghome gpg gpg2 gpgsm watchgnupg
applygnupgdefaults gpg-agent gpgconf gpgtar
dirmngr gpg-connect-agent gpgparsemail gpgv
dirmngr-client gpg-wks-server gpgscm kbxutil
6 - see the problem (2)
[root@arkham:~]# gpg -d -vvv test.txt.gpg
gpg: using character set 'utf-8'
# off=0 ctb=8c tag=3 hlen=2 plen=13
:symkey enc packet: version 4, cipher 9, s2k 3, hash 2
salt DFE34FFAF84E03FE, count 65011712 (255)
gpg: AES256 encrypted data
gpg: connection to agent is in restricted mode
gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.20)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with the agent: Forbidden
# off=15 ctb=d2 tag=18 hlen=2 plen=65 new-ctb
:encrypted data packet:
length: 65
mdc_method: 2
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key
I also try to install pinentry manualy, but that fail because PATH in catalog differs.
Expected behavior
Possibility to decrypt and encrypt using my smartcard/yubikey by calling gpg
Additional context
I'm trying to use Yubikey pgp on a remote ssh session
Notify maintainers
@flokli
Metadata
- system:
"x86_64-linux" - host os:
Linux 5.4.62, NixOS, 20.09pre242769.61525137fd1 (Nightingale) - multi-user?:
yes - sandbox:
yes - version:
nix-env (Nix) 2.3.7 - channels(root):
"nixos-20.09pre242769.61525137fd1" - nixpkgs:
/nix/var/nix/profiles/per-user/root/channels/nixos
Maintainer information:
# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
-programs.gnupg.agent
reyman
All 13 comments
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/yubikey-smartcard-challenge-mode-usable-on-remote-ssh/8936/16
nixos-discourse
on 12 Sep 2020
It seems like gpg-agent is ignoring the --pinentry-program option and using it's own default of trying to find pinentry relative to its own path.
NieDzejkob
on 12 Sep 2020
Is this a recent regression, or when did you ran into this? Are you actually running the version of gpg-agent configured with that pinentry? (try ps wwaux|grep gpg-agent)
flokli
on 12 Sep 2020
reyman mentioned on IRC that this is the first time they're trying to set this up.
NieDzejkob
on 12 Sep 2020
@flokli Yes @NieDzejkob is right, this is the first time i try this thing, using unstable to get some recent patch for yubikey/ssh/luks things.
Perhaps problem of pinentry could be link to https://github.com/NixOS/nixpkgs/issues/95777 ?
I'm constating another thing strange, after some time i need to restart manually gpg-agent :
systemctl --user restart gpg-agent
[root@arkham:~]# ps wwaux|grep gpg-agent
4124 root 0:00 grep gpg-agent
[root@arkham:~]# systemctl --user restart gpg-agent
[root@arkham:~]# ps wwaux|grep gpg-agent
4131 root 0:00 /nix/store/76dkq6ahwc32amdbbypmfsdvjkh1ab82-gnupg-2.2.23/bin/gpg-agent --supervised --pinentry-program /nix/store/shw8mdjaiv0gbgzzv5sbnw2g0vjvpkg0-pinentry-1.1.0-curses/bin/pinentry
But i see another thing weird, it seems there is another gpg that run sometimes :
[root@arkham:~]# ps wwaux|grep gpg-agent
4192 root 0:00 gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon
So there is some hook somewhere that start another gpg agent, i suppose this is linked to other issues on gpg like https://github.com/NixOS/nixpkgs/issues/92084 / https://github.com/NixOS/nixpkgs/issues/57779 / https://github.com/NixOS/nixpkgs/issues/72597 /
reyman
on 13 Sep 2020
Too bad that there still is no fix for that :-(
bwolf
on 28 Sep 2020
Ugh, just ran into this today. A shame you have to google and rely on bug reports to get a workaround.
bburdette
on 30 Sep 2020
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/yubikey-smartcard-challenge-mode-usable-on-remote-ssh/8936/20
nixos-discourse
on 3 Nov 2020
I am getting gnupg from a nix-shell and ran into this. It previously worked fine but now gives me this error. I don't have any configuration in my nixos config for it
jasoncarr0
on 16 Nov 2020
Right @jasoncarr0 @flokli , i had the same problem without any config for gpg-agent in my configuration.nix.
To reproduce, take a live cd :
- nix-env -iA nixos.gnupg
- nix-env -iA nixos.pinentry-curses
- nano ~/.gnupg/gpg-agent.conf, add
pinentry-program /home/nixos/.nix-profile/bin/pinentry - gpgconf --check-programs
- gpgconf --reload gpg-agent
Return pinentry:Passphrase Entry:/nix/store/przl7lwjkpfd3hml0rrmfq331jggn7db-gnupg-2.2.19/bin/pinentry:0:0:
which don't exist.
Another problem :
[nixos@nixos:~/.gnupg]$ ls -l ~/.nix-profile/bin/pinentry*
return
lrwxrwxrwx 1 root root 71 Jan 1 1970 /home/nixos/.nix-profile/bin/pinentry -> /nix/store/pahxcgryyrh4cj8yc6nq1537k5867021-pinentry-1.1.0/bin/pinentry
pinentry-curse don't exist, see https://github.com/NixOS/nixpkgs/issues/95777 ...
reyman
on 21 Nov 2020
gnupg really doesn't like picking up pinentry from $PATH. See my comment from https://github.com/NixOS/nixpkgs/pull/90214#issuecomment-652487240.
So running nix-env -iA to "install" various pinentrys to your environment won't help, even if https://github.com/NixOS/nixpkgs/issues/65325 would be fixed.
We currently do start a gpg-agent in a user session, which is configured with an appropriate pinentry depending on your system configuration: https://github.com/NixOS/nixpkgs/pull/71095
There were some ideas on having a wrapper at ${gnupg}/bin/pinentry already some time ago (https://github.com/NixOS/nixpkgs/issues/72597#issuecomment-549274360), which could pick up a pinentry from $PATH, but no-one has thought about the security implications, or stepped up to send a PR yet ;-)
flokli
on 22 Nov 2020
Thanks @flokli for pointing me these remarks/issues.
I'm in case of running an install from nixos liveCD using remote SSH, where gpg-agent & pinentry seems not installed/configured to work without gui, what do you advice ? Creating a new livecd with gpg-agent correctly configured ? Or, last chance solution, push my decrypted password from local to remote as an script argument by ssh ...
reyman
on 22 Nov 2020
I'm not very familiar with how the live cds currently look like, but both gnome3 and plasma5 environments should configure an appropriate pinentry flavour - so it might be just a matter of setting programs.gnupg.agent.enable in the graphical installer profile.
gnupg might already be in the closure anyways :shrug:
flokli
on 22 Nov 2020
Related issues
vaibhavsagar
路
3Comments
teto
路
3Comments
ayyess
路
3Comments
ob7
路
3Comments
rzetterberg
路
3Comments
Most helpful comment
Ugh, just ran into this today. A shame you have to google and rely on bug reports to get a workaround.