search

gopasspw / gopass

The slightly more awesome standard unix password manager for teams
https://www.gopass.pw/
MIT License
5.91k stars 495 forks source link

gpg: problem with fast path key listing: Forbidden - ignored #2485

Open jmgilman opened 1 year ago

jmgilman commented 1 year ago

Summary

When running any gopass commands that require decryption, I receive the following warning:

gpg: problem with fast path key listing: Forbidden - ignored

Steps To Reproduce

  1. Configure a new gopass vault using GPG
  2. Run any commands that require decryption (i.e. gopass show my/secret)
  3. See the warning appear

Expected behavior

I am expecting no warnings to be produced from GPG.

Environment

Additional context

It's worth noting that I do not see this warning when performing other decryption actions using gpg from the CLI. I'm assuming that gopass must be doing something unique that's triggering this warning. Unfortunately, searching for the exact warning basically produces nothing.

It's also worth noting that I use gopass with a lot of other tools, namely aws-vault, and so when calling commands that rely on decryption I'm constantly seeing this warning appear. It would be nice to figure out how to make it stop. 

gpg (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/josh/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
gpg-agent (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
dominikschulz commented 1 year ago

The code is confusing. But it looks like it's really only a warning: https://github.com/gpg/gnupg/blob/master/g10/call-agent.c#L2277

dominikschulz commented 1 year ago

I found this NixOS discussion. This could either be a NixOS issue or a (breaking?) change in recent GPG releases.

georglauterbach commented 3 months ago

I'm seeing the same message, but I cannot use GPG at all:

$ echo "test" | gpg --clear-sign
gpg: problem with fast path key listing: Forbidden - ignored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

The result is the same, with GPG_TTY set or not. Please help me get GnuPG to work; I currently need to bind-mount the ${HOME}/.gnupg directory from my host into my container :(

trallnag commented 3 months ago

This conversation in the GnuPG mailing list

https://lists.gnupg.org/pipermail/gnupg-users/2024-April/067043.html

mentions:

If you use the extra-socket certain operations are forbidden so that a rogue gpg version on the remote site won't be able to change passwords, export secret keys, or get a listing of all available secret keys. This is why you see this diagnostic.