Closed dotwaffle closed 6 years ago
Interestingly, when upgrading to gpg 2.1.1, I get:
14:22:15 [mwalster@mwmbp:~] 1 % pius -d 040babe2
Welcome to PIUS, the PGP Individual UID Signer.
Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
WARNING: You passed in short keyids. Short keyids are forgable and should be avoided.
Type "I understand" to continue: I understand
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint 040babe2
pub rsa4096/B20CC297040BABE2 2015-06-01 [SCEA] [expires: 2020-05-30]
Key fingerprint = 8BE8 7F4C 19EF AC17 CB43 4331 B20C C297 040B ABE2
uid [ full ] Matthew Walster <mwalster@fastly.com>
Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3
Signing all UIDs on key 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key 040babe2
DEBUG: Got a line sec:f:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:f::::::::Matthew Walster <mwalster@fastly.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p::
DEBUG: Got UID Matthew Walster <mwalster@fastly.com> with status f
DEBUG: got email mwalster@fastly.com
DEBUG: 040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
There is 1 UID on this key to sign
DEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/040babe2.asc --export 040babe2 0x8783A4A6184156BE
UID 1 (mwalster@fastly.com): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/040babe2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 040babe2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay
DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] PINENTRY_LAUNCHED 52973
DEBUG: Got [GNUPG:] ERROR keysig 83918950
ERROR: Agent reported an error.
gpg-agent problems, bailing out!
14:22:43 [mwalster@mwmbp:~] 1 %
Ahah, so after a bit of digging, there are two problems -- one of which is my fault:
Once I enter the PIN manually in a separate session, and let gpg-agent cache it, I get the follow (good) output:
15:23:40 [mwalster@mwmbp:~] % pius -d B20CC297040BABE2
Welcome to PIUS, the PGP Individual UID Signer.
Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint B20CC297040BABE2
pub rsa4096/B20CC297040BABE2 2015-06-01 [SCEA] [expires: 2020-05-30]
Key fingerprint = 8BE8 7F4C 19EF AC17 CB43 4331 B20C C297 040B ABE2
uid [ unknown] Matthew Walster <mwalster@fastly.com>
Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3
Signing all UIDs on key B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key B20CC297040BABE2
DEBUG: Got a line sec:-:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:-::::::::Matthew Walster <mwalster@fastly.com>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p::
DEBUG: Got UID Matthew Walster <mwalster@fastly.com> with status -
DEBUG: got email mwalster@fastly.com
DEBUG: B20CC297040BABE2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
There is 1 UID on this key to sign
DEBUG: exporting B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/B20CC297040BABE2.asc --export B20CC297040BABE2 0x8783A4A6184156BE
UID 1 (mwalster@fastly.com): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/B20CC297040BABE2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key B20CC297040BABE2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay
DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Saving key
signedDEBUG: exporting B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/B20CC297040BABE2__mwalster_at_fastly.com__0x8783A4A6184156BE.asc --export B20CC297040BABE2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --use-agent --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --no-options --always-trust -u 0x8783A4A6184156BE -aes -r B20CC297040BABE2 -r 0x8783A4A6184156BE --output /tmp/pius_tmp/pius_tmp.asc /tmp/pius_tmp/pius_tmp
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] PROGRESS need_entropy X 4 16
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] PROGRESS need_entropy X 16 16
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_SIGNING H10
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] SIG_CREATED S 1 10 00 1460993031 9822E22058B6EB064E258C436E5098842B66940D
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_ENCRYPTION 2 9
DEBUG: Got GPG_ENC_BEG
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] END_ENCRYPTION
DEBUG: Got GPG_ENC_END
DEBUG: send_mail called with to (mwalster@fastly.com), subject (Your signed PGP key)
, mailed
WARNING: Ignoring -i: Either -r wasn't specified, or it was the same as the default keyring.
15:23:54 [mwalster@mwmbp:~] %
Heya! Sorry for the lack of response here, and thanks for all the digging!
I've never tried to use gpg from a yubikey, but I just got some so this is a use-case I'll be able to test more. It doesn't seem like any of the problems once you upgraded were around using the card, but instead agent stuff. I often run into weird agent-isms. For example, over SSH I have to set pinentry-program /usr/bin/pinentry-curses
- because pinentry doesn't want to xforward. But of course when I'm back at that machine, that now nothing graphical can prompt for a passphrase (like thunderbird) and I have to set it back. I prefer the ssh-agent model of a deliberate ssh-add
step, but alas that's not what the gpg authors want for gpg-agent.
Anyway - I don't think there's an action here, so I'm closing this, but if there is an action to be taken, please don't hesitate to re-open it.
My key is stored on a card. When I try to sign, I get:
I'm using the HEAD of pius, as installed by "brew install pius --HEAD" which shows: