Menu
▾
▴
1 Attachments
#257 Asks for password every time
wont-fix
nobody
None
1.6.0
Minor
24.3.0
2.0.22
All
---
nobody
2014-08-17
2014-02-23
No
I don't know, when this started (because I don't use encrypted mails that often), but now Enigmail asks me every time I click on a mail or write a mail for the password.
When I save prefs, Enigmail says:
"Your system uses a specialized tool for passphrase handling such as gnome-keyring or seahorse-agent. Unfortunately OpenPGP cannot control the passphrase timeout for the tool you are using. Therefore the respective timeout settings in OpenPGP are disregarded."
But: I do not have seahorse installed and gnome-keyring is only installed because of dependencies. No agent or keyring process is running.
Also:
$GPG_AGENT_INFO is empty.
Attaching debug log for decrypting a mail.
Could you please also attach a debug log when you save the preferences? Thanks.
Attaching debug log from saving prefs.
From what I can see in the log file, Enigmail cannot connect to gpg-agent (using gpg-connect-agent). I cannot tell why, I just can say that this is the case.
The first log suggests that gpg-agent isn't running. You can't connect to the agent, if it's not running. Thomas, can you please try to start gpg-agent prior to starting Thunderbird? Probably the method you used in the past is broken for some reason we can only speculate about.
I don't quite agree with pre-starting gpg-agent. Thomas uses GnuPG 2.0.22 which starts gpg-agent automatically. The fact that you cannot connect to gpg-agent using gpg-connect-agent means most likely that the system is set up such that gnome-keyring is used.
I'd try to configure the passphrase timeout settings in gnome-keyring, or follow e.g. this hint: http://askubuntu.com/questions/349238/how-can-i-clear-my-cached-gpg-password
Maybe this explains some things:
This system (Gentoo) was running KDE for years. Then I switched to Gnome for some months and now I am back to KDE.
gnome-keyring is only installed because some Gnome programs depend on it.
It's possible, that some other things remained from Gnome.
In dconf-editor, the timeout is 3600.
But in the end, I do not want to use gnome-keyring or a KDE variant of it, if possible. Any hints on how to do that?
BTW, I also tried to configure the timeout in .gnupg/gpg-agent.conf.
I also tried: mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.disabled
But since I don't use Gnome, this probably did not do anything.
Even uninstalling gnome-keyring (risking breakage of some programs) did not help. It still asks every time for the password.
Last edit: Thomas Boerkel 2014-02-24
Thomas, now things are getting somewhat beyond our scope, sorry. We can give hints on how to debug a typical gnupg setup, but a KDE system probably suffering from remainders of a Gnome installation is more than we can handle. I suggest you post on a KDE mailing list. Maybe the gnupg-users mailinglist (http://lists.gnupg.org/mailman/listinfo/gnupg-users) also can give hints.
@Patrick: Maybe we should improve the wording of the message "Your system uses a specialized tool for passphrase handling...", therefore leaving the bug open.
Maybe you could give me a hint about how Enigmail starts gpg-agent and what it expects it to do, especially in case no specialized tool is installed. Then I could debug gpg-agent outside of Enigmail and probably find a way to make it again handle the passphrase stuff by itself.
With GnuPG 2.0.16 and newer, Enigmail does not start gpg-agent at all. gpg-agent is started by gpg, when gpg thinks it's needed.
OK, so how can I simulate on the command line what Enigmail does, so that I can debug it? Thanks!
Try to start the gpg-agent within a shell:
Then observe output in the shell and logfiles whether this process is finishing - it should stay in memory forever.
should give more infos about other options...
If you want to simulate Enigmail functionality, then don't start gpg-agent, but use GnuPG as follows:
Afterwards check if there is a running gpg-agent; then repeat the above. You should be prompted for your password the 1st time, but not for subsequent calls to gpg with this parameter. Maybe you should wait some minutes between the calls to gpg.
Patrick, thanks, now I can reproduce the problem outside of Thunderbird. There is never an agent running in the background, only while the password dialog is being shown, but not before and not after. And it always asks for the password. Should the agent keep running after the first test?
Guys, this works:
gpg-agent --daemon --write-env-file ~/.gpg-agent-info
. ~/.gpg-agent-info
gpg --clearsign <<EOT
test
EOT
Using these steps, it only asks once for the password.
Last edit: Thomas Boerkel 2014-02-28
Even better, when I start gpg-agent like this, I don't need to set the ENV variable:
gpg-agent --daemon --use-standard-socket
Then it also works with Enigmail! :-)
Funny thing is, KDE supplies a (by default disabled) startup script (/etc/kde/startup/agent-startup.sh), which starts the agent like this:
eval "$(/usr/bin/gpg-agent --daemon)"
Which will definitely not work, because then the gpg tool won't find the agent and so no password caching.
So, is this the correct solution then? I have to make sure the agent is being started when I login?
I would recommend this solution:
OK, thanks for all the help!
So, is this a bug in gnupg then? If I understood correctly, gpg should have started the agent and kept it running?
According to the announcement that's the default behavior of GnuPG 2.0.16 and newer.
But I can't tell if your Linux distro delivers GnuPG with the same parameters.
Reading the announcement, it may be sufficient to have to config file with use-standard-socket; you may not even be required to start the agent during the login process.
I think that this is neither a bug in Gnupg nor Enigmail. Gnupg provides the means, but it is the task of the distribution and the user to keep configuration and usage possible and stable.
Maybe the misbehaviour in your case started by one of your changes (Gnome -> KDE and back) which was not handled well. Software sometimes is a fragile building..
You are right! When I add "use-standard-socket" to ~/.gnupg/gpg-agent.conf, I don't need to start it during startup. After using Enigmail once, the agent keeps running and everything works fine.
Thanks again!