An error when trying to sign a commit: no pinentry

[geext-dk]

Issue Not possible to sign commits for now. When I try to make a commit with gpgSign = true in my config, I see the following error:

But it works if I first make a commit outside flatpak and then do another commit in the Github Desktop application.

Possible cause If I try to launch this package in cli: flatpak run --command=sh io.github.shiftey.Desktop, and type echo test | gpg --clear-sign, I get this:

gpg: WARNING: server 'gpg-agent' is older than us (2.2.20 < 2.2.31)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: pinentry error
gpg: [stdin]: clear-sign failed: pinentry error

As I understand, to support gpg signing this flatpak package should include its own version of pinentry, at least for now.

You can find some discussion regarding this on other flatpak repos, e. g. https://github.com/flathub/org.gnome.Evolution/issues/12

Additional info

Host OS: Fedora 35

[Lunarequest]

Do you have a gpg-agent instance running om your host system? Originally we did use something similar to evolution but it caused more issues then it solved.

[geext-dk]

Yes I guess (Fedora 35 by the way):

$ gpg-agent
gpg-agent[25052]: gpg-agent running and available

[Lunarequest]

I'm also on fedora 35 and I get the pinentry prompt. Can you check if you have pinentry.

[geext-dk]

Yes

$ ls /usr/bin | grep pinentry
pinentry
pinentry-curses
pinentry-gnome3

I got the same error on host but it worked when I added pinentry-mode loopback to my gpg.conf. But it didn't solve the problem with Github Desktop.

Could it be that's because I'm on wayland?

UPD: tested it on the rpm package. It worked when I removed pinentry-mode loopback... But the flatpak version still doesn't work. So yeah. I wouldn't think something is wrong with my setup since the rpm package works correctly (it shows the gnome password prompt, it's pinentry-gnome3 I guess), and I didn't modify any permissions of the flatpak package with Flatseal or anything like that. And that's with no gpg.conf, gpg-agent.conf at all. And in the .gitconfig I have just set commit.gpgsign = true and user.signingKey set to my key fingerprint, and user.name and user.email of course. That's it.

[Lunarequest]

could you check if gpg-agent is running? pidof gpg-agent

[geext-dk]

$ pidof gpg-agent
13786

[geext-dk]

I think I should also say that I actually tried to do this on multiple linux distributions: first on Pop OS, then on Fedora 35, and now I'm on Fedora Silverblue 35 (don't plan to switch for now, hopefully never), and it didn't work anywhere. That could mean that at least my system probably isn't the reason why it doesn't work, because, well, I've installed it several days ago, it's pretty clean.

I did nothing with GnuPG, no tweaks. All I did is some changes to the config, and that config is now deleted so it shouldn't affect anything. I successfully sign commits on the host (outside flatpak), either in CLI or via the rpm version of the app.

Also, the flatpaked app starts to sign commits after I first make a signed commit outside, on the host (just checked, but there can be more to that), then it works for all subsequent commits in flatpak too. I guess that's because it doesn't need to ask for a password after I make a commit on host? But when it does need my password, it tries to launch an ncurses pinentry? But everywhere else I get the gnome variant (typical gnome modal window).

[Lunarequest]

maybe set a pinentry program in gpg-agent.conf?

[geext-dk]

Added pinentry-program /usr/bin/pinentry-gnome3 to ~/.gnupg/gpg-agent.conf with no luck. Also tried pinentry-allow-loopback just in case. Didn't work either. After every config change ran gpg-connect-agent reloadagent /bye, so the config should have been taken into account.

[Lunarequest]

could you try building from commit ff9038d3b80368c5d762a46c78a943e2d4f3b2d9 its the last one where we bundled gpg agent and pinentry like org.gnome.Evolution

[geext-dk]

Yeah but I can't build it for some reason, any advice on that? I used this command:

flatpak-builder build io.github.shiftey.Desktop.yaml --repo=repo --install --force-clean --install-deps-from=flathub > build.log 2>&1

And the outputs are here.

I guess it's not just asking for node to be installed on my system, or is it? I have it in PATH, just not installed system-wide.

[Lunarequest]

Try installing the node extention to system

[geext-dk]

Okay, figured it out, it has node16 sdk extension as a dependency but uses node14 later instead. Wait, it's set up like this on master too, how is it working then? Shouldn't it be changed?

Back to the topic, sadly no, it doesn't work either. And now when I think about it, I find it not a good solution anyway to bundle pinentry in the package... Hm. Maybe something is wrong with my system. It's weird that it doesn't work for me but works for you... I guess I will spend some time troubleshooting this. If I find something, I will share.

[geext-dk]

A small update It still doesn't work for me, checked multiple times on fresh installs (Fedora Workstation 37)

[hughesjs]

@geext-dk - If you never got this working, I've found a, admittedly hacky AF workaround...

Just edit /usr/bin/pinentry to be:

#!/bin/sh
exec /usr/bin/pinentry-gnome3 "$@"

Or whichever pinentry front-end you want to use.

Now, if you fixed this properly, please let me know how!

[tunix]

Has anyone figured out a solution to this? On the host, it asks for my password and when I do, flatpak app works fine since it uses the gpg-agent. But if I restart the agent (so it doesn't have the password cached) my app (intellij) simply fails.

[hughesjs]

@tunix - Have you tried my suggestion in the comment above yours? It's not a fix but it's a workaround that seems pretty solid for me

[tunix]

@hughesjs - where do you do this? on the host?

[InfiniteLoopGameDev]

Any news on this still having issues on Fedora 37

[InfiniteLoopGameDev]

Hello I seem to have fixed this issue by disabling socket=gpg-agent in Flatseal. This is very weird as it seems that it should likely do the opposite of fixing this

[hughesjs]

@hughesjs - where do you do this? on the host?

On whatever machine you're installing the flatpak on

[krempel-pt]

Hello I seem to have fixed this issue by disabling socket=gpg-agent in Flatseal. This is very weird as it seems that it should likely do the opposite of fixing this

I had the same problem with Evolution and exactly that fixed it for the moment. Thanks for the advice.

I assume, that keys from the agent cannot longer be uses that way, but didn't check that, yet. So I would consider that as another workaround but not as the solution for the root course.

[Diyou]

I'm getting the same error promt with kde plasma on arch.

[📦 io.github.shiftey.Desktop ~]$ echo test | gpg --clear-sign
gpg: WARNING: server 'keyboxd' is older than us (2.4.2 < 2.4.3)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: No pinentry
gpg: [stdin]: clear-sign failed: No pinentry

Switching socket=gpg-agent off didn't change anything.

[InfiniteLoopGameDev]

Hey @Diyou, I just recently switched to KDE Plasma. I once again found myself with the error message. It seems that the flatpak is unable to run pinentry-qt, but installing pinentry-gnome3 fixed it!