Open bayonne opened 2 years ago
cobratbq
commented
2 years ago Hi, thanks for letting me know.
--filesystem=xdg-run/gnupg:ro: this is correct. You only need access to the existing socket already provided by gpg-agent on the host.
bayonne
commented
2 years ago Hello,
gpg-agent is started by systemd and logs have error messages:
Nov 23 14:34:05 hostname gpg-agent[318768]: failed to connect to user session D-Bus (1): Could not connect: No such file or directoryFailed to lookup password for key n/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ with secret service: Could not connect: No such file or directory
Nov 23 14:34:05 hostname gpg-agent[318768]: Timeout: the Gcr system prompter was already in use.
Nov 23 14:34:05 hostname gpg-agent[309257]: failed to unprotect the secret key: pinentry error
Nov 23 14:34:05 hostname gpg-agent[309257]: failed to read the secret key
Nov 23 14:34:05 hostname gpg-agent[309257]: command 'PKDECRYPT' failed: pinentry error <Pinentry>Initial research suggests that the flatpak package needs access to the session-bus to access gnupg/pinentry components. You can try running with --talk-name=org.freedesktop.secrets. (Full command to run: flatpak run --talk-name=org.freedesktop.secrets org.claws_mail.Claws-Mail) I have not tested this yet.
bayonne
commented
2 years ago I tried again with this session-bus permission; I still get the pinentry error on message decryption.
cobratbq
commented
2 years ago I can confirm. I'm still looking into the right way to solve this. If this is a blocking issue for you, flatpak allows you to downgrade to an earlier commit, to Claws-Mail 3.18.
cobratbq
commented
2 years ago @bayonne please check the new test build. If the problem persists, which may be the case, make sure that gpg-agent is running before starting Claws-Mail.
If you run Claws-Mail from the console like flatpak run org.claws_mail.Claws-Mail, the first lines will report on a check to see if gpg-agent is accessible from within the package.
So far, I can confirm that Debian works out-of-the-box, and Fedora requires starting the gpg-agent manually beforehand.
bayonne
commented
2 years ago I tried this new test build on Ubuntu 20.04 When Claws-Mail is run from the console, there is a message about gpg-agent being available. But I still get the same errors as earlier.
cobratbq
commented
2 years ago Great! Although, in that case I do not have a solution yet. This is probably the case where gpg-agent is run as a systemd unit. I will see if I can check on an Ubuntu 20.04 set-up myself. This gives me a good lead. I suspect a similar situation exists with Manjaro installs.
bayonne
commented
2 years ago @cobratbq gpg-agent is managed by systemd indeed.
cobratbq
commented
2 years ago @bayonne I can't debug this issue. I have a cleanly installed, updated Ubuntu 20.04 install. It just works. I can think of a few things, due to the way gpg-agent is managed:
pinentry-program config option of gpg-agent to explicitly set the desired GUI program, e.g. /usr/bin/pinentry-... (... should be replaced by one of available variants. Depends per distro.)gpg-agent for current user (if running as services, instead of activated upon socket connection) while logged into as this user. To give it a chance to adapt to user's current session. (This is educated guessing, but I give it only a small chance of succes.)gpg-agent in gpg plugin settings. (Possibly explicitly setting path to gpg: /usr/bin/gpg.)gpg-agent services and sockets. Start gpg-agent manually. Then test again to see if issue disappears in Claws-Mail flatpak. If so, that means we know the direction of the solution, at least.bayonne
commented
2 years ago @cobratbq Plugin preferences in Claws-Mail look ok (including path to /usr/bin/gpg). Also added path to pinentry-gnome3 in gpg-agent.conf.
I tried to start gpg-agent manually after stopping the service and sockets, with
gpg-agent --daemon --verbose flatpak run ... (single line), but pinentry errors are still there.
These messages are repeated:
gpg-agent[280958]: starting a new PIN Entry gpg-agent[280958]: failed to unprotect the secret key: pinentry error gpg-agent[280958]: failed to read the secret key gpg-agent[280958]: command 'PKDECRYPT' failed: pinentry error
gpg-agent[280958]: command 'PKDECRYPT' failed: No secret key and this appears too: gpg-agent[280958]: no running SCdaemon - starting it gpg-agent[280958]: can't connect to the SCdaemon: IPC connect call failed
cobratbq
commented
2 years ago @cobratbq Plugin preferences in Claws-Mail look ok (including path to /usr/bin/gpg). Also added path to pinentry-gnome3 in
gpg-agent.conf. I tried to start gpg-agent manually after stopping the service and sockets, withgpg-agent --daemon --verbose flatpak run ...(single line), but pinentry errors are still there.These messages are repeated:
gpg-agent[280958]: starting a new PIN Entry gpg-agent[280958]: failed to unprotect the secret key: pinentry error gpg-agent[280958]: failed to read the secret key gpg-agent[280958]: command 'PKDECRYPT' failed: pinentry error gpg-agent[280958]: command 'PKDECRYPT' failed: No secret key
The core issue here is the pinentry error. Because of this error, the follow-up steps fail due to missing the password.
and this appears too:
gpg-agent[280958]: no running SCdaemon - starting it gpg-agent[280958]: can't connect to the SCdaemon: IPC connect call failed
The scdaemon, too, should be run on the host. If you do, it too will produce a socket. I have seen it exist as a socket, but that may not be as common.
cobratbq
commented
2 years ago For the SCdaemon issue: this is easily fixed by opening the socket.
At run-time: flatpak run --socket=pcsc org.claws_mail.Claws-Mail (and will be adjusted in next package)
bayonne
commented
2 years ago Thanks. (I do not have smart cards, though; scdaemon is not installed).
So something might be broken on my system, causing the pinentry errors.
cobratbq
commented
2 years ago I have just pushed some packaging changes. This will restore pinentry and pcsc. This may solve your issues.
bayonne
commented
2 years ago Thanks for the notice. Unfortunately I still get error messages like
command 'PKDECRYPT' failed: pinentry error <Pinentry>.
cobratbq
commented
2 years ago Thanks for letting me know. In that case, I will prepare the fully original solution for you in a test branch. I'll follow up soon.
cobratbq
commented
2 years ago @bayonne can you try this test-build? If you start it from the command-line, I would be curious about the output on stdout when Claws-Mail is just started. If this works, I would expect to see that gpg-agent is being started, i.e. not yet running.
This should be the same solution as I used first. From what I understand from your story, this should work.
bayonne
commented
2 years ago Hello,
With Commit: 7904e337debdb7d9f19bf835bcdf8927d4d06c24a9f67171e7bea44cd7ee0dae, I have:
$ flatpak run --user org.claws_mail.Claws-Mail INFO: gpg-agent is available. INFO: the socket to scdaemon on the host cannot be found. Claws-Mail will try to start it and connect to pcscd if needed. gpg-agent: a gpg-agent is already running - not starting a new one Starting Claws-Mail ...
and messages cannot be decrypted because of pinentry errors.
cobratbq
commented
2 years ago I suspected this answer. I need to reproduce this myself in order to efficiently try new ideas. I have an idea of where to look, but no test set-up. Ubuntu 20.04 (clean install in VM) did not pose an issue for me.
cobratbq
commented
2 years ago I finally managed to reproduce in Ubuntu 22.04. The main problem is that the flatpak application runs on DISPLAY=:99.0, and that's how it is isolated. When the host gpg-agent process is called with request to display on :99.0, but that display is not available.
Hello,
On my Ubuntu 20.04, trying to read encrypted emails fails with pinentry errors when the recipient's GPG key is not already in the host gpg-agent. Can this be reproduced by anyone else ? The app is started with
--filesystem=xdg-run/gnupg:ro.