search

jaymzh / pius

PGP Individual User Signer
Other
97 stars 25 forks source link

Crash when using card #32

Closed dotwaffle closed 6 years ago

dotwaffle commented 8 years ago

My key is stored on a card. When I try to sign, I get:

13:49:16 [mwalster@mwmbp:~] % pius -d 040babe2
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
WARNING: You passed in short keyids. Short keyids are forgable and should be avoided.
Type "I understand" to continue: I understand
Please enter your mail server password:
Sorry, cannot authenticate to smtp.gmail.com as dotwaffle@gmail.com with that passwword, try again.
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint 040babe2
pub   4096R/B20CC297040BABE2 2015-06-01 [expires: 2020-05-30]

      Key fingerprint = 8BE8 7F4C 19EF AC17 CB43  4331 B20C C297 040B ABE2
uid               [ultimate] Matthew Walster <mwalster@fastly.com>

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key 040babe2
DEBUG: Got a line pub:u:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:u::::::::Matthew Walster <mwalster@fastly.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p:
DEBUG: Got UID Matthew Walster <mwalster@fastly.com> with status u
DEBUG: got email mwalster@fastly.com
DEBUG: 040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There is 1 UID on this key to sign
DEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/040babe2.asc --export 040babe2 0x8783A4A6184156BE
  UID 1 (mwalster@fastly.com): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/040babe2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 040babe2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] USERID_HINT 8783A4A6184156BE Matthew Walster <matthew@walster.org>

DEBUG: Got [GNUPG:] NEED_PASSPHRASE 8783A4A6184156BE 8783A4A6184156BE 1 0

DEBUG: Got [GNUPG:] GOOD_PASSPHRASE

DEBUG: Saving key
signedDEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE.asc --export 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --use-agent --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --no-options --always-trust -u 0x8783A4A6184156BE -aes -r 040babe2 -r 0x8783A4A6184156BE --output /tmp/pius_tmp/pius_tmp.asc /tmp/pius_tmp/pius_tmp
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_SIGNING H8
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] CARDCTRL 3 D2760001240102000006038107570000
Traceback (most recent call last):
  File "/usr/local/Cellar/pius/HEAD/libexec/bin/pius", line 341, in <module>
    main()
  File "/usr/local/Cellar/pius/HEAD/libexec/bin/pius", line 325, in main
    if signer.sign_all_uids(key, retval):
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/signer.py", line 790, in sign_all_uids
    self.mailer.send_sig_mail(self.signer, key, uid, self)
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/mailer.py", line 225, in send_sig_mail
    signer, uid_data['email'], keyid, uid_data['file'], psign
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/mailer.py", line 175, in _generate_pgp_mime_email
    psigner.encrypt_and_sign_file(tmpfile, signed_tmpfile, keyid)
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/signer.py", line 887, in encrypt_and_sign_file
    raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] CARDCTRL 3 D2760001240102000006038107570000

I'm using the HEAD of pius, as installed by "brew install pius --HEAD" which shows:

13:52:39 [mwalster@mwmbp:~] % pius --version
pius 2.2.2
dotwaffle commented 8 years ago

Interestingly, when upgrading to gpg 2.1.1, I get:

14:22:15 [mwalster@mwmbp:~] 1 % pius -d 040babe2
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
WARNING: You passed in short keyids. Short keyids are forgable and should be avoided.
Type "I understand" to continue: I understand
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint 040babe2
pub   rsa4096/B20CC297040BABE2 2015-06-01 [SCEA] [expires: 2020-05-30]
      Key fingerprint = 8BE8 7F4C 19EF AC17 CB43  4331 B20C C297 040B ABE2
uid                 [  full  ] Matthew Walster <mwalster@fastly.com>

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key 040babe2
DEBUG: Got a line sec:f:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:f::::::::Matthew Walster <mwalster@fastly.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p::
DEBUG: Got UID Matthew Walster <mwalster@fastly.com> with status f
DEBUG: got email mwalster@fastly.com
DEBUG: 040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There is 1 UID on this key to sign
DEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/040babe2.asc --export 040babe2 0x8783A4A6184156BE
  UID 1 (mwalster@fastly.com): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/040babe2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 040babe2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] PINENTRY_LAUNCHED 52973

DEBUG: Got [GNUPG:] ERROR keysig 83918950

  ERROR: Agent reported an error.

gpg-agent problems, bailing out!
14:22:43 [mwalster@mwmbp:~] 1 %
dotwaffle commented 8 years ago

Ahah, so after a bit of digging, there are two problems -- one of which is my fault:

  1. By default, Yubikeys are shipped with "forcesig" turned on, so you have to enter your PIN every time. I disabled this and things went better.
  2. For some reason, when pius is running pinentry, it's not allowing it to take over the terminal. This is regardless of the setting in gpg-agent.conf, and it works when doing it manually.

Once I enter the PIN manually in a separate session, and let gpg-agent cache it, I get the follow (good) output:

15:23:40 [mwalster@mwmbp:~] % pius -d B20CC297040BABE2
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint B20CC297040BABE2
pub   rsa4096/B20CC297040BABE2 2015-06-01 [SCEA] [expires: 2020-05-30]
      Key fingerprint = 8BE8 7F4C 19EF AC17 CB43  4331 B20C C297 040B ABE2
uid                 [ unknown] Matthew Walster <mwalster@fastly.com>

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key B20CC297040BABE2
DEBUG: Got a line sec:-:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:-::::::::Matthew Walster <mwalster@fastly.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p::
DEBUG: Got UID Matthew Walster <mwalster@fastly.com> with status -
DEBUG: got email mwalster@fastly.com
DEBUG: B20CC297040BABE2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There is 1 UID on this key to sign
DEBUG: exporting B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/B20CC297040BABE2.asc --export B20CC297040BABE2 0x8783A4A6184156BE
  UID 1 (mwalster@fastly.com): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/B20CC297040BABE2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key B20CC297040BABE2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

DEBUG: Saving key
signedDEBUG: exporting B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/B20CC297040BABE2__mwalster_at_fastly.com__0x8783A4A6184156BE.asc --export B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --use-agent --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --no-options --always-trust -u 0x8783A4A6184156BE -aes -r B20CC297040BABE2 -r 0x8783A4A6184156BE --output /tmp/pius_tmp/pius_tmp.asc /tmp/pius_tmp/pius_tmp
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] PROGRESS need_entropy X 4 16
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] PROGRESS need_entropy X 16 16
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_SIGNING H10
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] SIG_CREATED S 1 10 00 1460993031 9822E22058B6EB064E258C436E5098842B66940D
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_ENCRYPTION 2 9
DEBUG: Got GPG_ENC_BEG
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] END_ENCRYPTION
DEBUG: Got GPG_ENC_END
DEBUG: send_mail called with to (mwalster@fastly.com), subject (Your signed PGP key)
, mailed

WARNING: Ignoring -i: Either -r wasn't specified, or it was the same as the default keyring.
15:23:54 [mwalster@mwmbp:~] %
jaymzh commented 6 years ago

Heya! Sorry for the lack of response here, and thanks for all the digging!

I've never tried to use gpg from a yubikey, but I just got some so this is a use-case I'll be able to test more. It doesn't seem like any of the problems once you upgraded were around using the card, but instead agent stuff. I often run into weird agent-isms. For example, over SSH I have to set pinentry-program /usr/bin/pinentry-curses - because pinentry doesn't want to xforward. But of course when I'm back at that machine, that now nothing graphical can prompt for a passphrase (like thunderbird) and I have to set it back. I prefer the ssh-agent model of a deliberate ssh-add step, but alas that's not what the gpg authors want for gpg-agent.

Anyway - I don't think there's an action here, so I'm closing this, but if there is an action to be taken, please don't hesitate to re-open it.