search

gopasspw / gopassbridge

A web extension for Firefox and Chrome to insert login credentials from gopass
MIT License
259 stars 24 forks source link

Firefox + Ubuntu "Failed to get secret: unable to decrypt" #158

Open torfmaster opened 4 years ago

torfmaster commented 4 years ago

When I try to do decrypt a secret in Firefox I get the error message: "Failed to get secret: unable to decrypt".

My setup is:

However, I am unable to get detailed error messages of gopass related of this error.

Pharb commented 4 years ago

Hi @torfmaster,

thanks for raising this issue.

Is it correct to assume, that gopass on your terminal works without issue?

Did you follow the steps to setup the gopass jsonapi without errors? https://github.com/gopasspw/gopass/blob/master/docs/setup.md#filling-in-passwords-from-browser

Are you asked for pinentry/passphrase when activating gopassbridge in Firefox?

Pharb commented 4 years ago

Also maybe try to restart your gpg-agent, it seems to help sometimes: https://github.com/gopasspw/gopassbridge/issues/152#issuecomment-658337911

torfmaster commented 4 years ago

Is it correct to assume, that gopass on your terminal works without issue?

Yes.

Did you follow the steps to setup the gopass jsonapi without errors? https://github.com/gopasspw/gopass/blob/master/docs/setup.md#filling-in-passwords-from-browser

Yes.

Are you asked for pinentry/passphrase when activating gopassbridge in Firefox?

No, it fails rightaway.

Also maybe try to restart your gpg-agent, it seems to help sometimes: #152 (comment)

This doesn't help, unfortunately.

doronbehar commented 4 years ago

Hey, I'm experience a perhaps similar issue with Gnome + Wayland and firefox with MOZ_ENABLE_WAYLAND=1 set.

Here are steps to reproduce:

  1. Start a Gnome Wayland session (it could be that other wayland based WM will work).
  2. Start a terminal that works natively with Wayland - such as gnome-terminal.
  3. Run from that terminal the command env MOZ_ENABLE_WAYLAND=1 firefox.
  4. Go to about:support
  5. Use Ctrl-F and search for "Window Protocol" to make sure native Wayland support is used - it should say wayland/drm See Arch Wiki article.
  6. Now try to use gopass' Web extension.

A note on step 1: I just switched to using Wayland for my Gnome session and it occurred to me that I had to clear all dconf settings in order for it to launch - see this thread.

On the other hand, what's very peculiar, is that if you'll run a gopass command from a terminal with native wayland support such as gnome-terminal, Pinentry launches just fine.

A further note on my attempts to debug this:

I don't know if it's strictly a gopass issue. It might be due to how pinentry is launched by gpg, when gpg is being run from a wayland application? IDK, it's so complicated!

In the meantime, I ran into this which might be worth trying, not necessarily directly - perhaps not everything there is needed.

I'm still investigating and I'll update if I'll find anything else.

doronbehar commented 4 years ago

Oh and I forgot to say I tested it against the latest and greatest gopass version 1.10.0, both the gopass and the new gopass-jsonapi binaries were used together.

doronbehar commented 4 years ago

I opened an issue upstream since I was able to reproduce this without gopass at all - only Gnome + Wayland and gpg:

https://dev.gnupg.org/T5036

doronbehar commented 4 years ago

I take some of my words back - using or not using MOZ_ENABLE_WAYLAND=1 doesn't make a difference if Firefox is launched by Gnome and not gnome-terminal.

doronbehar commented 4 years ago

@torfmaster according to my successful investigaton with upstream at https://dev.gnupg.org/T5036, indeed this is a bug that should be fixed in the upcoming gnupg 2.2.20 version. Could you please report what GnuPG version are you using? I'd be happy to help you fix it on your machine.

nexx512 commented 3 years ago

Is this the same issue as #182? In my case the error message mentioned here is the same I had with the issue described in #182. Updateing gpg to 2.2.19 however didn't work for me. Despite that installing gpg pinentry without gnome3 support solved the issue. It now works with the gtk2 pinentry dialog.

visika commented 4 months ago

I installed gopassbridge for the first time and had the same error. I managed to get it working though; maybe that can be relevant to others having the same issue.

I had the error mentioned Failed to get secret: unable to decrypt with a fresh install of gopass and gopass-jsonapi on Arch Linux. Gopass from CLI would prompt for a passphrase directly in the terminal, no graphical windows, and it worked well. However gopassbridge did not like that. I had to install a different pienentry program (I tried pinentry-bemenu and pinentry-rofi and they both work, but with other programs applies the same method) and then configure the system to actually use the pinentry program I choose.

To tell the system which pinentry program to use, I found the ArchWiki useful, see https://wiki.archlinux.org/title/GnuPG#pinentry §6.3 pinentry and §6.2 Reload the agent.

Here is a summary of the steps I took to make it work for me:

# Install the pinentry program (I used yay, use apt for ubuntu)
$ yay -S pinentry-rofi

# Find where is the installed pinentry program
$ which pinentry-rofi
/usr/bin/pinentry-rofi

# Tell GnuPG which program to use
$ cat ~/.gnupg/gpg-agent.conf 
pinentry-program /usr/bin/pinentry-rofi

# Reload the agent to apply changes
$ gpg-connect-agent reloadagent /bye
OK

P.S. This may or may not be relevant for similar open issues #152 #182

doronbehar commented 4 months ago

You may be interested in https://github.com/gopasspw/gopass/pull/2869 which adds useful log messages to the output of gopass, which may help you debug. See also the first comment at https://github.com/gopasspw/gopass/pull/2576 .