libpius doesn't work work with MacGPG

[aabdnn]

I have MacGPG installed on my Mac. This is a binary package that identifies itself as:

$ gpg --version gpg (GnuPG/MacGPG2) 2.0.28

This does not match the regex in line 92 of signer.py.

Any chance you could patch pius to support MacGPG (or change the regex to be more lenient)?

[aabdnn]

I also forgot to mention that there's another bug. Line 96 reads:

if not v:

However, if the match had failed, v will be undefined, and cause a traceback.

[jaymzh]

I don't have a mac handy. Can you send the output of running it with -d?

[jaymzh]

Oh, sorry I misunderstood what you were sayig (or rather jumped to the wrong line). Yup, I'll get a fix up in a second.

[jaymzh]

should be fixed in the referenced commit on master - can you confirm?

[aabdnn]

This commit has fixed the version check. However, now pius fails because it's not getting the passphrase from the agent.

$ pius -b /usr/local/bin/gpg -H smtp.ripe.net -m anandb@ripe.net -P 25 -s 0x0CC92A05 -S -d 0x59565a0e Welcome to PIUS, the PGP Individual UID Signer.

Setting debug DEBUG: /usr/local/bin/gpg --version DEBUG: ['/usr/local/bin/gpg', '--keyid-format', 'long', '--no-auto-check-trustdb', '-q', '--no-tty', '--batch', '--no-default-keyring', '--keyring', '/Users/anandb/.gnupg/pubring.gpg', '--fingerprint', '0x59565a0e'] pub 1024D/1EC095E959565A0E 2008-06-27 Key fingerprint = C8A1 E8D5 83CD 6D1D 4C8C 9E37 1EC0 95E9 5956 5A0E uid [ unknown] Kazunori Fujiwara fujiwara@jprs.co.jp uid [ unknown] Kazunori Fujiwara fujiwara@wide.ad.jp sub 2048g/B82282D8402A5C68 2008-06-27

Have you verified this user/key, and if so, what level do you want to sign at? 0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q](default: n) 3 Signing all UIDs on key 0x59565a0e DEBUG: ['/usr/local/bin/gpg', '--keyid-format', 'long', '--no-auto-check-trustdb', '-q', '--no-tty', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/Users/anandb/.gnupg/pubring.gpg', '--no-options', '--with-colons', '--edit-key', '0x59565a0e'] DEBUG: Got a line pub:-:1024:17:1EC095E959565A0E:1214549611:0::-:::sc DEBUG: Got a line fpr:::::::::C8A1E8D583CD6D1D4C8C9E371EC095E959565A0E: DEBUG: Got a line sub:-:2048:16:B82282D8402A5C68:1214549611:0:::::e DEBUG: Got a line fpr:::::::::F6785488E497088896783E2BB82282D8402A5C68: DEBUG: Got a line uid:-::::::::Kazunori Fujiwara fujiwara@jprs.co.jp:::S9 S8 S7 S3 S2 H2 H8 H3 Z2 Z3 Z1,mdc,no-ks-modify:1,p: DEBUG: Got UID Kazunori Fujiwara fujiwara@jprs.co.jp with status - DEBUG: got email fujiwara@jprs.co.jp DEBUG: 0x59565a0efujiwara_at_jprs.co.jp0x0CC92A05 isn't in [] DEBUG: Got a line uid:-::::::::Kazunori Fujiwara fujiwara@wide.ad.jp:::S9 S8 S7 S3 S2 H2 H8 H3 Z2 Z3 Z1,mdc,no-ks-modify:2,: DEBUG: Got UID Kazunori Fujiwara fujiwara@wide.ad.jp with status - DEBUG: got email fujiwara@wide.ad.jp DEBUG: 0x59565a0efujiwara_at_wide.ad.jp0x0CC92A05 isn't in ['0x59565a0efujiwara_at_jprs.co.jp0x0CC92A05'] DEBUG: got to command prompt DEBUG: quitting DEBUG: waiting There are 2 UIDs on this key to sign DEBUG: exporting 0x59565a0e DEBUG: ['/usr/local/bin/gpg', '--keyid-format', 'long', '--no-auto-check-trustdb', '-q', '--no-tty', '--batch', '--no-default-keyring', '--keyring', '/Users/anandb/.gnupg/pubring.gpg', '--armor', '--output', '/tmp/pius_tmp/0x59565a0e.asc', '--export', '0x59565a0e', '0x0CC92A05'] UID 1 (fujiwara@jprs.co.jp): DEBUG: ['/usr/local/bin/gpg', '--keyid-format', 'long', '--no-auto-check-trustdb', '-q', '--no-tty', '--batch', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '--import-options', 'import-minimal', '--import', '/tmp/pius_tmp/0x59565a0e.asc'] DEBUG: ['/usr/local/bin/gpg', '--keyid-format', 'long', '--no-auto-check-trustdb', '-q', '--no-tty', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '-u', '0x0CC92A05', '--use-agent', '--default-cert-level', '3', '--no-ask-cert-level', '--edit-key', '0x59565a0e'] DEBUG: Waiting for prompt DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt DEBUG: Selecting UID 1 DEBUG: Waiting for ack DEBUG: Waiting for line [GNUPG:] GOT_IT DEBUG: got line [GNUPG:] GOT_IT DEBUG: Running sign subcommand DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt DEBUG: Sending sign command DEBUG: Waiting for line [GNUPG:] GOT_IT DEBUG: got line [GNUPG:] GOT_IT DEBUG: Waiting for response DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing DEBUG: Waiting for line [GNUPG:] GOT_IT DEBUG: got line [GNUPG:] GOT_IT DEBUG: Got [GNUPG:] USERID_HINT 15E0A3250CC92A05 Anand Buddhdev anandb@ripe.net

DEBUG: Got [GNUPG:] NEED_PASSPHRASE 15E0A3250CC92A05 15E0A3250CC92A05 1 0

DEBUG: Got [GNUPG:] MISSING_PASSPHRASE

DEBUG: Got [GNUPG:] BAD_PASSPHRASE 15E0A3250CC92A05

DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

ERROR: Agent didn't provide passphrase to PGP.

gpg-agent problems, bailing out!

[jaymzh]

You're specifically getting BAD_PASSPHRASE from your agent. This either means you gave it the wrong passphrase, or it was unable to pop up the pinentry program. That usually happens because (1) you're using a graphical pinentry but you're inside something like screen where it can't launch it or (20 you're using a graphical pinentry program but over SSH without x-forwarding.

There's a few things you can try here:

1. Change ~/.gnupg/gpg-agent.conf and set pinentry-program to /usr/bin/pinentry-tty or /usr/bin/pinentry-curses (make sure you've installed the appropriate one)...
2. Try running the command PIUS is running manually: /usr/local/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --passphrase-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x0CC92A05 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 0x59565a0e

Doing so requires a bit of finagling. Once you run it you'll get nothing, you need to hit enter in order to kick it into doing something. You'll get some stuff then type 1 and hit enter to select the first UID, it'll do some stuff then type sign and hit enter, it'll do some stuff, then type y and hit enter to confirm, and see what happens!

[jaymzh]

[side note, I just pushed a change to master that changes debug printing of commands to not print them as arrays so that they are copy-paste-friendly.]

[tresni]

For MacGPG pinentry-tty and pingentry-curses are not available. However, there is a pinentry-mac found at /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac. It looks like that is setup in ~/.gpg-agent.conf by default:

» cat ~/.gnupg/gpg-agent.conf                                                                                                                        «
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200

» /usr/local/bin/gpg -vvvvvv --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --passphrase-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/bhartvigsen/.pius/tmp/pius_keyring.gpg -u brian.andrew@brianandjenny.com --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 996FD4B9125D0CEBE3261E1C15E0A3250CC92A05
gpg: using character set `utf-8'

gpg: using PGP trust model
gpg: key 76D78F0500D026C4: accepted as trusted key
gpg: key 4A00DB3D202D5E3C: accepted as trusted key
gpg: key 31AF19C8AE9DEA38: accepted as trusted key
gpg: key F76E1922115C96D6: accepted as trusted key
[GNUPG:] GET_LINE keyedit.prompt
1
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE keyedit.prompt
sign
[GNUPG:] GOT_IT
gpg: NOTE: signature key 471FDACFF982D4B0 has been revoked
[GNUPG:] GET_BOOL sign_uid.okay
y
[GNUPG:] GOT_IT
[GNUPG:] USERID_HINT 4A00DB3D202D5E3C Brian Hartvigsen <brian.andrew@brianandjenny.com>
[GNUPG:] NEED_PASSPHRASE 4A00DB3D202D5E3C 4A00DB3D202D5E3C 1 0
[GNUPG:] MISSING_PASSPHRASE
gpg: NOTE: signature key 471FDACFF982D4B0 has been revoked
[GNUPG:] BAD_PASSPHRASE 4A00DB3D202D5E3C
gpg: signing failed: Bad passphrase
[GNUPG:] GET_LINE keyedit.prompt

Running pinentry-mac via CLI seems to work fine:

» /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac --help                                                                     «
pinentry-mac (pinentry) 0.9.4
Copyright (C) 2015 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Usage: pinentry-mac [options] (-h for help)
Ask securely for a secret and print it to stdout.
Options:
 -d, --debug                Turn on debugging output
 -D, --display DISPLAY      Set the X display
 -T, --ttyname FILE         Set the tty terminal node name
 -N, --ttytype NAME         Set the tty terminal type
 -C, --lc-ctype STRING      Set the tty LC_CTYPE value
 -M, --lc-messages STRING   Set the tty LC_MESSAGES value
 -o, --timeout SECS         Timeout waiting for input after this many seconds
 -g, --no-global-grab       Grab keyboard only while window is focused
 -W, --parent-wid           Parent window ID (for positioning)
 -c, --colors STRING        Set custom colors for ncurses

Please report bugs to <http://bugs.gnupg.org>.

» /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac -d                                                                         «
OK Your orders please
^C

Funny enough, I'm trying to sign @aabdnn 's key :)

[tresni]

I believe I found the issue. For GPGTools passing --passphrase-fd 0 stops pinentry-mac from launching. I found nothing in console log to explain this, but seems to be the case. Simply removing that option allowed it to work. I'll see if I can get you a patch that detect gpgtools and adjusts the parameters appropriately :)

[tresni]

Turns out that --passphrase-fd 0 seemed to kill pinentry on Debian and OSX for me when using gpg2. My PR checks for gpg2 and doesn't use that and now pius works beautifully for me :)