PGP plugin error

[Enpheebled]

I installed the flathub version of ClawsMail 3.17.4 in Linux Mint 19 Tara via the Mint Software Manager, and I loaded the included PGP/Inline plugin and the PGP/Core plugin in Claws-Mail.

When I tried to open a gpg-encrypted email message, an error that said 'Couldn't decrypt: no pinentry' was displayed in the mail message header area.

I have gpg installed (which means gpg2 in Ubuntu 18.04 and derivatives) and pinentry-curses, pinentry-gnome3 and pinentry-gtk2 installed. Also installed is libgpgme11.

I have configured the Claws-Mail Preferences -> Plugins -> GPG 'Path to GnuPG executable' correctly to '/usr/bin/gpg'.

Reading the encrypted email works without any problem in Thunderbird with the Enigmail extension, and also in Claws-Mail 3.16.01 (with the claws-mail-pgpinline package) installed via apt.

Is this perhaps a flathub permissions issue?

[cobratbq]

I will investigate this.

[cobratbq]

I can confirm that something is wrong. I expect it to take some time to figure out. (What I found is not related to pinentry but that might be due to the use case. I expect both to be part of the same issue.)

To verify: you mention installing some other packages related to gpg and pinentry. You are sure that you are running the flatpak-version of Claws-Mail, right? (You can verify manually by running flatpak list and look up org.claws_mail.Claws-Mail in the listing.)

[Enpheebled]

Thanks for looking into this.

Yes, it's definitely the flatpak version: Package: org.claws_mail.Claws-Mail Version: 3.17.4

When the problem first occurred it was the only Claws-Mail I had installed. Later I installed the apt package (Claws-Mail 3.16.01) to check if the problem was related to Claws-Mail itself, but that version worked without a problem.

[cobratbq]

Checking: https://gitlab.gnome.org/GNOME/gnome-build-meta/issues/230

[cobratbq]

Comment regarding pinentry: https://github.com/flathub/org.claws_mail.Claws-Mail/pull/6#issuecomment-561664527

[cobratbq]

Recommended to request for freedesktop-sdk. Closed. Advised to request inclusion into Gnome-platform instead. See https://github.com/flathub/org.claws_mail.Claws-Mail/issues/5#issuecomment-561669318

[Erick555]

Note that even if gnome Platform include pinentry it's unlikely they add it to older version than 3.36 so you may still consider including pinentry yourself in this app and drop it when it's no longer needed.

[cobratbq]

I see what you mean. I have a slight bit of hope when arguing that gpg will not work completely without it and therefore can be treated as a bug or so. :-)

[cobratbq]

Note also that I am trying to include pinentry in the image itself, but so far I'm running into an issue that gpg assumes the wrong directory for pinentry, due to the flatpak directory structure.

[Erick555]

I know couple of apps in flathub that bundle pinentry and it works with gpg. Are you sure this isn't caused by lack of permissions? If you open PR here with your changes I can look at it.

Also maybe you have pinentry-program in ~/.gnupg/gpg-agent.conf set?

[cobratbq]

I know couple of apps in flathub that bundle pinentry and it works with gpg.

I'm aware of Evolution. However, Evolution has a start-up parameter that configures itself to look for pinentry at a different location. AFAIK this isn't available for either Claws-Mail or gnupg (I checked available environment variables). So, either I'm missing something trivial and obvious, or it might be tricky to compell the right applications to redirect them towards pinentry at a different location.

Are you sure this isn't caused by lack of permissions?

I've derived the necessary permissions from the Evolution flatpak manifest. Of course, that doesn't exclude all possible mistakes/omissions.

If you open PR here with your changes I can look at it.

I will do that soon. Thanks :-)

Also maybe you have pinentry-program in ~/.gnupg/gpg-agent.conf set?

I'll need to check. It was low on my list, because I'm not sure if gpg-agent is even running. (Claws-Mail doesn't detect the agent - or at least disables the checkbox UI-control for the gpg-agent.)

[Erick555]

I'll need to check. It was low on my list, because I'm not sure if gpg-agent is even running. (Claws-Mail doesn't detect the agent - or at least disables the checkbox UI-control for the gpg-agent.)

AFAIK gpg-agent will be autostarted on demand if everything else is right.

[cobratbq]

AFAIK gpg-agent will be autostarted on demand if everything else is right.

I will look into that, because that opens up a new venue to configuration-solutions.

[cobratbq]

FYI, this is still on my radar.

I have not yet found a way to redirect calling of pinentry to /app/bin/pinentry instead of the default /usr/bin/pinentry. Claws-Mail does not seem to allow configuring this at build time. ~/gnupg/gpg-agent.conf is shared with actual desktop due to homedir being shared, so changing it there is no option. gpg is pre-built, so I cannot change anything there. It is not possible to symlink /app/bin/pinentry to /usr/bin/pinentry due to / being a read-only file-system.

An option, I can still think of, is to see if we can hook into the gpg-agent on the host by sharing the gpg-agent socket. Not completely sure if that makes sense though.

[Erick555]

Do you mean Claws-Mail hardcodes /usr/bin/pinentry path in their code? Maybe it could be patched there to call pinentry from $PATH?

[cobratbq]

Do you mean Claws-Mail hardcodes /usr/bin/pinentry path in their code?

I am not sure which application it is, but it is assumed that pinentry is found at /usr/bin/pinentry. It could be due to defaults in gnupg (e.g. gpg-agent) or gpgme. I'll need to investigate further to see if I can figure that out.

Maybe it could be patched there to call pinentry from $PATH?

Whichever application it is, I'll see if there's an configuration option for it.

[Erick555]

I am not sure which application it is, but it is assumed that pinentry is found at /usr/bin/pinentry. It could be due to defaults in gnupg (e.g. gpg-agent) or gpgme. I'll need to investigate further to see if I can figure that out.

pinentry was confirmed working in several flatpak apps (Evolution, Thunderbird, SmartGit) so it's either Claws-Mail specific issue or something with your test environment.

I'm aware of Evolution. However, Evolution has a start-up parameter that configures itself to look for pinentry at a different location. AFAIK this isn't available for either Claws-Mail or gnupg (I checked available environment variables). So, either I'm missing something trivial and obvious, or it might be tricky to compell the right applications to redirect them towards pinentry at a different location.

Evolution flatpak passes start-up parameter to gpg-agent, not evolution itself. You can try same approach if nothing else works.