search

jaymzh / pius

PGP Individual User Signer
Other
97 stars 25 forks source link

Fixing support for gpg2/gpg-agent #16

Closed tresni closed 9 years ago

tresni commented 9 years ago

This solves #13 for me and also makes it so pius works on my Debian box with gpg2 as well (similar issue.)

I think I'm done for the day ;-)

jaymzh commented 9 years ago

This will absolutely break gpg1 support... you need to have that option for gpg1.

Also I develop on Debian sid, with gpg2.1, so the existing code works fine, I don't know why it doesn't work fro you.

tresni commented 9 years ago

I've specifically written the code to make sure that the changes I am suggesting only happen under gpg2. gpg1 will still get the necessary options passed to it. I did not simply remove the option.

I wanted to make sure my code worked on other operating systems as I originally thought this was just an OSX issue. To test I installed clean Debian 8, gpg, pinentry-curses, gpg-agent and master and it most definitely barfed on getting over to pinentry. My change got it working.

ii  gnupg                               1.4.18-7                  i386         GNU privacy guard - a free PGP replacement
ii  gnupg-agent                         2.0.26-6                  i386         GNU privacy guard - password agent
ii  gnupg2                              2.0.26-6                  i386         GNU privacy guard - a free PGP replacement (new v2.x)
ii  gpgv                                1.4.18-7                  i386         GNU privacy guard - signature verification tool
ii  libgpg-error0:i386                  1.17-3                    i386         library for common error values and messages in GnuPG components
ii  libgpgme11:i386                     1.5.1-6                   i386         GPGME - GnuPG Made Easy (library)
ii  pinentry-curses                     0.8.3-2                   i386         curses-based PIN or pass-phrase entry dialog for GnuPG

gpg-agent.conf

» cat .gnupg/gpg-agent.conf                                                        «
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 600
max-cache-ttl 7200

I will specifically test with gpg1 and post the results.

tresni commented 9 years ago

Using gpg1, the only change to the code from what I have above is DEBUG_ON=True

linode ~/pius ●» /usr/bin/gpg --version                                       « [gpg2_support]
gpg (GnuPG) 1.4.18
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

linode ~/pius ●» ./pius -b /usr/bin/gpg -vs 6D7BC4BF AE9DEA38                « [gpg2_support●]
Welcome to PIUS, the PGP Individual UID Signer.

Would you like to automatically send the signed UIDs to their owners using
PGP/Mime encryption as you sign each one? n
DEBUG: Running: /usr/bin/gpg --version
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! WARNING: You are using GnuPG 1.x. Support for the 1.x series will be !!
!!          dropped in the next release, please migrated to GnuPG 2.x.  !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: You passed in short keyids. Short keyids are forgable and should be avoided.
Type "I understand" to continue: I understand
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/tresni/.gnupg/pubring.gpg --fingerprint AE9DEA38
pub   2048R/31AF19C8AE9DEA38 2011-09-23 [expires: 2021-09-20]
      Key fingerprint = 9050 4CAE 7DE6 51FF 66D4  29AF 31AF 19C8 AE9D EA38
uid                          Brian Somers <brsomers@cisco.com>
uid                          Brian Somers <bsomers@OpenDNS.com>
sub   2048R/F501592586670003 2011-09-23 [expires: 2021-09-20]

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key AE9DEA38
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --passphrase-fd 0 --no-default-keyring --keyring /home/tresni/.gnupg/pubring.gpg --no-options --with-colons --edit-key AE9DEA38
DEBUG: Got a line pub:-:2048:1:31AF19C8AE9DEA38:1316810988:1632170988::-:
DEBUG: Got a line fpr:::::::::90504CAE7DE651FF66D429AF31AF19C8AE9DEA38:
DEBUG: Got a line sub:-:2048:1:F501592586670003:1316810988:1632170988:::
DEBUG: Got a line fpr:::::::::9908327FE6D4106C5C42DB5AF501592586670003:
DEBUG: Got a line uid:-::::::::Brian Somers <brsomers@cisco.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p:
DEBUG: Got UID Brian Somers <brsomers@cisco.com> with status -
DEBUG: got email brsomers@cisco.com
DEBUG: AE9DEA38__brsomers_at_cisco.com__6D7BC4BF isn't in []
DEBUG: Got a line uid:-::::::::Brian Somers <bsomers@OpenDNS.com>:::S9 S8 S7 S3 S2 H8 H2 H9 H10 H11 Z2 Z3 Z1,mdc,no-ks-modify:2,:
DEBUG: Got UID Brian Somers <bsomers@OpenDNS.com> with status -
DEBUG: got email bsomers@OpenDNS.com
DEBUG: AE9DEA38__bsomers_at_OpenDNS.com__6D7BC4BF isn't in ['AE9DEA38__brsomers_at_cisco.com__6D7BC4BF']
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There are 2 UIDs on this key to sign
DEBUG: exporting AE9DEA38
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/tresni/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/AE9DEA38.asc --export AE9DEA38 6D7BC4BF
  UID 1 (brsomers@cisco.com): DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/AE9DEA38.asc
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --passphrase-fd 0 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 6D7BC4BF --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key AE9DEA38
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] USERID_HINT 3F4463186D7BC4BF Brian Hartvigsen (test) (This is a test key and should never show up) <tresni@localhost>

DEBUG: Got [GNUPG:] NEED_PASSPHRASE 3F4463186D7BC4BF 3F4463186D7BC4BF 1 0

DEBUG: Got [GNUPG:] GOOD_PASSPHRASE

DEBUG: Saving key
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
signedDEBUG: exporting AE9DEA38
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/AE9DEA38__brsomers_at_cisco.com__6D7BC4BF.asc --export AE9DEA38

  UID 2 (bsomers@OpenDNS.com): DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/AE9DEA38.asc
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --passphrase-fd 0 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 6D7BC4BF --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key AE9DEA38
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 2
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] USERID_HINT 3F4463186D7BC4BF Brian Hartvigsen (test) (This is a test key and should never show up) <tresni@localhost>

DEBUG: Got [GNUPG:] NEED_PASSPHRASE 3F4463186D7BC4BF 3F4463186D7BC4BF 1 0

DEBUG: Got [GNUPG:] GOOD_PASSPHRASE

DEBUG: Saving key
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
signedDEBUG: exporting AE9DEA38
DEBUG: Running: /usr/bin/gpg --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/AE9DEA38__bsomers_at_OpenDNS.com__6D7BC4BF.asc --export AE9DEA38

  Signed UNencrypted keys:
    bsomers@OpenDNS.com: /tmp/pius_out/AE9DEA38__bsomers_at_OpenDNS.com__6D7BC4BF.asc
jaymzh commented 9 years ago

Sorry - I read it quickly and missed lines 70-72. My bad.

jaymzh commented 9 years ago

Actually I'll just update the messages post-merge. Let's get this in while I have a moment.

jaymzh commented 9 years ago

FWIW, in my testing, I don't see waht you see. When I give it a bad passphrase I get:

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] PINENTRY_LAUNCHED 5739
DEBUG: Got [GNUPG:] ERROR keysig 67108875
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Saving key

And if I cancel it, I get:

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] PINENTRY_LAUNCHED 5850
DEBUG: Got [GNUPG:] ERROR keysig 83886179
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Saving key

At which point it then thinks it signed it and carries on, but since gpg re-launches the agent it then a moment later gets PINENTRY_LAUNCHED again and crashes.

jaymzh commented 9 years ago

Here's what I have installed:

ii  gnupg                                                       1.4.19-5                              amd64        GNU privacy guard - a free PGP replacement
ii  gnupg-agent                                                 2.1.8-1                               amd64        GNU privacy guard - cryptographic agent
ii  gnupg2                                                      2.1.8-1                               amd64        GNU privacy guard - a free PGP replacement (new v2.x)
ii  gpgv                                                        1.4.19-5                              amd64        GNU privacy guard - signature verification tool
jaymzh commented 9 years ago

OK, pushed a fix on top if this in ec8840c

jaymzh commented 9 years ago

@tresni Can you do me a favor and test master and make sure this all works for you still? I'd like to cut a new release ASAP.

tresni commented 9 years ago

:+1: looks good to me on GPGTools/MacGPG. Tried both gpg1/gpg2 and all seems to work as expected. Debian 8 looks good too.

jaymzh commented 9 years ago

https://github.com/jaymzh/pius/releases/tag/v2.2.1 released.