travier
commented
10 months ago This is not enough information to help you here.
Open chrBrd opened 10 months ago
travier
commented
10 months ago This is not enough information to help you here.
Erick555
commented
10 months ago did you have gpg-agent running as instructions?
chrBrd
commented
9 months ago This is not enough information to help you here.
I'm afraid there's nothing I can add that's genuinely useful. pinentry is installed on the system, gpg-agent is running.
I've even tried using --pinentry-program with a couple of different pinentry binaries when starting gpg-agent.
Issue still as in title. :)
Is there any information you suggest I provide?
Erick555
commented
9 months ago Do you have gpg-agent socket in /run/user/<id>/gnupg ?
It was confirmed to work in flatpak and in kleopatra specifically
https://blog.grdryn.me/blog/flatpak-emacs-with-gpg-agent.html
https://github.com/flathub/flathub/pull/3182#issuecomment-1242964799
chrBrd
commented
9 months ago Do you have gpg-agent socket in
/run/user/<id>/gnupg?
Yep, daemon's running just fine.
It looks like it only works with pinentry-qt[4/5] (I normally use the console mode or GNOME's).
I've just got it working by installing that and starting the daemon with:
gpg-agent --pinentry-program /usr/bin/pinentry-qt --daemon
Keyaku
commented
8 months ago I'm also running into this issue; using pinentry-qt as mentioned by @chrBrd solves it (or at least Kleopatra doesn't complain anymore), which means I have to put it in gpg-agent.conf.
EDIT: Apparently, using socket=gpg-agent instead of host=xdg-run/gnupg also causes this issue if Kleopatra launches the agent (i.e. if no gpg-agent was running prior to launching the app).
Using host=xdg-run/gnupg + the pinentry setting mentioned above will work.
Erick555
commented
8 months ago Does it work when agent is running before klepatra?
Keyaku
commented
8 months ago Does it work when agent is running before klepatra?
Yes, but only with the pinentry option mentioned above.
chrBrd
commented
8 months ago If the agent isn't running before Kleopatra then there are no certificates to encrypt or decrypt anything with; pinentry isn't really relevant.
Things have changed for me after the recent Flatpak update and pinentry-qt no longer works, but console pinentry methods now do (with caveats, see below).
I've done some brief experimenting with different pinentry options, starting Kleopatra using flatpak run -vvvv in a console.
OS: openSUSE Tumbleweed with SwayWM
Kleopatra details: Version: 3.1.28.230805 Origin: flathub Installation: system Installed: 165.6 MB Runtime: org.kde.Platform/x86_64/5.15-23.08 Sdk: org.kde.Sdk/x86_64/5.15-23.08 Commit: a9611316e6c10ca00ce0789e8916aafcfa5eba092646a2b68f8a9ffc3e5a125d
Error messages below are as shown in the 'Diagnostics' popup, eg:
gpg: signing failed: <ERROR_MSG>
gpg: -&38: sign+encrypt failed: <ERROR_MSG>No additional information was shown in the terminal output from flatpak run... when attempting any of the below.
pinentry-[qt/qt4/qt5/gtk2]: 'No pinentry'
pinentry-gnome3: 'pinentry error'
pinentry-[curses/tty/fltk]: Works, but (on my system, might be different in a full DE) if Kleopatra isn't started from a console with flatpak run ... then the pinentry-... process will run in the background and ultimately timeout.
gamer191
commented
6 months ago It took me about 2 hours to figure out how to change the pinentry program kleopatra uses. For other users having this issue, the command sudo update-alternatives --config pinentry will interactively ask you which program should be the default pinentry method
Shoutout to https://unix.stackexchange.com/a/447045
EDIT: pinentry-curses doesn't seem to work "Inappropriate ioctl for device"
EDIT 2: pinentry-qt works for me. If it doesn't work, install all pinentries using sudo apt install pinentry-*, then test each of them
orionn333
commented
4 months ago I noticed this some months ago, but it wasn't until now that I decided to look further into the matter.
I had already configured gpg-agent to be started on system startup:
gpg-agent --pinentry-program /usr/bin/pinentry-qt --daemon
Checking the logs, I found the following:
Failed to create wl_display (No such file or directory)
qt.qpa.xcb: could not connect to display :0
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vkkhrdisplay, vnc, wayland-egl, wayland, xcb.
Process 20311 (pinentry-qt) of user 1000 terminated abnormally without generating a coredump.So I decided to manually run pinentry-qt (typing GETPIN) and look up for problems in my host setup, but it ran successfully.
After replacing the pinentry program in gpg-agent with a custom one (so as I could inspect the env. vars.), I finally discovered what was wrong:
pinentry-qt was being invoked with the env. var. WAYLAND_DISPLAY=/run/flatpak/wayland-0.
I'm not super knowledgeable in Flatpaks or anything, so my first impression was that they don't have access to the host user wayland socket, which is expected.
When pinentry is called, the env. vars. are the ones from the Flatpak environment, and since gpg-agent is being run outside the Flatpak container, pinentry-qt cannot be launched (obviously, /run/flatpak/wayland-0 does not exist on the host).
As a workaround, I created a wrapper that sets WAYLAND_DISPLAY=wayland-0 and then calls pinentry-qt. I configured gpg-agent to use it, and now Kleopatra works as expected.
This started happening on Flatpak 1.15.6, mainly due to:
Previous behaviour was:
WAYLAND_DISPLAY wasn't set, it would then set its value to "wayland-0" (which is /run/user/<user-id>/wayland-0). WAYLAND_DISPLAY (for "wayland-0", /run/user/<user-id>/wayland-0), and which would point to /run/flatpak/<wayland-display>, the sandboxed Wayland socket. (In the prev. ex.: /run/flatpak/wayland-0).
WAYLAND_DISPLAY remains the same.But now:
/run/user/<user-id>/.flatpak/wl/wayland-<XXXXXX>), which is then binded to the sandbox path /run/flatpak/<wayland-display>. WAYLAND_DISPLAY value is updated to /run/flatpak/<wayland-display>.I have not investigated further, but from what I've seen so far, if some random env. vars. and WAYLAND_DISPLAY are modified inside the sandbox, the WAYLAND_DISPLAY value inside the sandbox will be passed to pinentry while the other variables won't. The rest of env. variables that were provided to gpg-agent are the ones passed to pinentry, no matter what was done inside the sandbox. I guess it has something to do with bwrap, but I don't know for sure.
Technically, it will also work if the wrapper is modified to call env WAYLAND_DISPLAY=/run/user/<user-id>/.flatpak/wl/wayland-<XXXXXX> pinentry-qt, but the "XXXXXX" string MUST correspond with an active socket (ideally from the “parent” Kleopatra instance). There will be different sockets for every instance of any Flatpak app (at least from the current boot), so it isn't practical at all as a workaround.
pinentry-wrapper.sh:
#!/usr/bin/sh
env WAYLAND_DISPLAY=wayland-0 pinentry-qt "$@"With Flatpak 1.15.6 (or higher), Kleopatra invokes pinentry-qt with the environment variable WAYLAND_DISPLAY=/run/flatpak/<wayland-display>, and since pinentry runs at host level instead of within the Flatpak sandbox, it can't get access to a Wayland display.
I got Kleopatra to successfully retrieve data from pinentry-qt by creating a wrapper that sets WAYLAND_DISPLAY=wayland-0 and then calls pinentry.
Erick555
commented
4 months ago Please report it as regression in https://github.com/flatpak/flatpak/issues
Issue as in title.