smartcard gpg error because of additional --no-use-agent and wrong --use-agent

2013-09-20
2013-11-03
  • Gerrit Leder
    Gerrit Leder
    2013-09-20

    Hello all,

    I have installed Enigmail with Thunderbird and ReinerSCT komfort
    Smartcard reader. In order to get GnuPG work with my Smartcard inserted,
    I had to add two command line parameters:
    --no-use-agent --disable-ccid

    I added these in the Enigmail configuration, too.

    Now I see an error when sending/signing a message: no SmartCard found in reader!

    This is because of the additional wrong command line parameter added by
    enigmail:
    --use-agent

    You can see the full gpg command in the following console snippet:

    Please remove the standard --use-agent from enigmail.
    Thanks and bye
    Gerrit Leder

    Initializing Enigmail service ...
    EnigmailAgentPath=/usr/bin/gpg
    
    enigmail> /usr/bin/gpg --version --version --batch --no-tty --charset
    utf-8 --display-charset utf-8
    gpg (GnuPG) 1.4.14
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: ~/.gnupg
    Unterstützte Verfahren:
    Öff. Schlüssel: RSA, RSA-E, RSA-S, ELG-E, DSA
    Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
                CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2
    
    EnigTest: START ********************************
    EnigTest: To: gerrit.leder@gmail.com
    TEST MESSAGE 123
    TEST MESSAGE 345
    
    enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8
    --disable-ccid --no-use-agent --batch --no-tty --status-fd 2 --comment
    Using GnuPG with undefined - http://www.enigmail.net/ -t --clearsign -u
    <gerrit.leder@gmail.com> --use-agent
    
     
  • Gerrit Leder
    Gerrit Leder
    2013-09-20

    Enigmail version: 1.4

    Tested with enigmail version 1.5.2, error is now:
    Fehler - Verschlüsselung fehlgeschlagen
    (eng.: error - crypting not possible)

    Thanks
    Gerrit

     
  • Gerrit Leder
    Gerrit Leder
    2013-09-20

    Now, after reboot, signing and sending email works fine!

    But: receiving crypted email from adele@gnupp.de is not possible to decrypt...
    I have imported public key from keyserver, but I think enigmail gets messed up with internationalization: public key in key management is english, while "from" address in email is german.

    If I set to manually select public key there is no given choice and potentially evaluatable public key of key trust is empty.

    Anybody a clue, how I get signing and decryption to work?

    Thanks again
    Gerrit

     
  • For decryption you don't need any public key, you only need your private key.

    I'd say the problem is still related to the first issue you had. Enigmail will unconditionally append --use-agent if the environment variable GPG_AGENT_INFO is set, i.e. if it detects that gpg-agent is configured and used. You will need to unset the env. variable to ensure that Enigmail would not try to use gpg-agent.

     
  • Gerrit Leder
    Gerrit Leder
    2013-09-23

    Thanks Patrick,

    you are right: I need to access my secret key stored on smartcard to decrypt the test message.

    And I do not get Enigmail to decrypt and verify the signature. In fact it says:
    "OpenPGP-Sicherheitsinfo:

    Fehler - Überprüfung der Unterschrift fehlgeschlagen"

    And only mentiones the signature not the decryption.

    This all is tested with your hint of unsetting the environment variable in .bashrc:
    export GPG_AGENT_INFO=

    But in console it still has the two console parameters:
    --no-use-agent ... --use-agent

    Do you have another clue?

    Gerrit

     
  • Gerrit Leder
    Gerrit Leder
    2013-09-23

    Hi again Patrick,

    now I am lost: the previously working message signing with my smartcard private key is now broken (again?).

    I rebooted, no way, but I noticed a change in Thunderbird version from 17 to 24.

    Can that be related?

    Bye
    Gerrit

     
  • You should not use "export var=", but "unset var" to not set it.

    There is no relevant difference in Enigmail between TB 17 and TB 24.

    I'd suggest you attach a debug log file, then I can possibly tell you more.

    See here for how to create a debug log file: https://www.enigmail.net/support/bugs.php#execTrace

     
  • Gerrit Leder
    Gerrit Leder
    2013-09-26

    Thanks for the hints.

    I can read smartcard info with enigmail and decrypt with gpg on command line.
    I cannot sign/crypt/decrypt with enigmail.

    Here is the log!

    Bye
    Gerrit

     
    Attachments
  • You still have the GPG_AGENT_INFO environment variable set, thus Enigmail will forcibly use gpg-agent.

    You have to unset GPG_AGENT_INFO in your .xinitrc or .xsessionrc and make sure that the variable is really not set, otherwise you will not succeed.

     
  • Gerrit Leder
    Gerrit Leder
    2013-09-26

    I do unset GPG_AGENT_INFO in .xinitrc or .xsessionrc in Ubuntu, but in env it is still set!

    There seems to be other bugs with unsetting this variable, see here:
    https://bugs.launchpad.net/pygpgme/+bug/999949

    Gerrit

     
  • Gerrit Leder
    Gerrit Leder
    2013-10-03

    Hello Patrick,

    I have no way of disabling the env variable GPG_AGENT_INFO other than putting the unset command in .bashrc

    But this does not prevent thunderbird/enigmail from putting --use-agent to the gpg command line. Same for .xsessionrc and .xinitrc

    Could you please provide a nightly build without the option --use-agent in it?

    Thank you
    Gerrit

     
  • If --use-agent is still sent, then the variable is still set, or you activated the option to use gpg-agent. If you post another debug log file I'll check why Enigmail still uses --use-agent.

    I won't change the logic in Enigmail.

     
  • Gerrit Leder
    Gerrit Leder
    2013-10-05

    --use-agent is still sent, see attached log.
    env variable GPG_AGENT_INFO is unset in .xsessionrc
    The option you mentioned is not evaluated by enigmail, either set or unset, confirmed by a pop-up box.

    Why is an option used for a program that is not installed on my computer:
    leder@leder-HP-Pavilion-dv7-Notebook-PC:~$ gpg-agent
    Die Anwendung »gpg-agent« ist momentan nicht installiert. Sie können sie durch folgende Eingabe installieren:
    sudo apt-get install gnupg-agent

    Please have a look at my provided log!

    Thanks
    Gerrit

     
    Attachments
  • The variable is still set (see below). Unsetting it in .bashrc won't unset it for programs started via the GUI, this only works from the command line. I think that gnome-keyring or seahorse-agent is started. I would try uninstalling these tools.

    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent
    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO variable available
    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='/run/user/1000/keyring-8tBmfa/gpg:0:1'
    
     
  • Gerrit Leder
    Gerrit Leder
    2013-10-06

    When I remove gnome-keyring or seahorse then the whole ubuntu-desktop will be removed, too. I cannot do that.

    Don't you think it is a pity that the command line option clash described in the ticket title breaks the use of smartcard?

     
  • Then I'd suggest one of the two following options:
    Try to set up Gnome keyring such that it's not started during the login process
    Write a wrapper shell script to launch Thunderbird which unsets GPG_AGENT_INFO

     
  • Gerrit Leder
    Gerrit Leder
    2013-10-07

    OK, I have written wrapper with unset GPG_AGENT_INFO and now the first signature w/ smartcard key works! Following signatures and any encryption does not work with the following error message:
    Sending of the message failed. Check account settings.

    How come?

     
  • That's most likely due to [bugs:#175], which will be fixed in the next release.

     

    Related

    Bugs: #175

  • Gerrit Leder
    Gerrit Leder
    2013-10-07

    Thanks a lot. Looking forward to next version of enigmail.
    Gerrit

     
  • Gerrit Leder
    Gerrit Leder
    2013-10-18

    Thanks for Version 1.6: smartcard support with above configuration works fine now. Here is what I did for Reiner SCT komfort smartcard reader:
    -install packages libifd-cyberjack6 and fxcyberjack under ubuntu
    -add the following lines to ~.gnupg/gpg.conf:
    #disable-ccid
    disable-ccid
    no-use-agent

    -Last line replaces original entry use-agent

    Go for it!

    P. S. it is a good idea to add a group named cyberjack and add the current user to this group. I do not know if ubuntu automagically does this. Please refer to documentation man for this.

     
    Last edit: Gerrit Leder 2013-10-21
  • Gerrit Leder
    Gerrit Leder
    2013-10-21

    One more hint -
    If the enigmail error debug console still shows command line option --use-agent here is what to do in Ubuntu linux
    - create dir ~/bin
    - cd bin
    - put file thunderbird with the following contents
    #!/bin/bash
    unset GPG_AGENT_INFO
    /usr/bin/thunderbird

    • then
      chmod a+x ~/bin/thunderbird

    After logout/login e-mail and enigmail should work fine.

     
  • C.Tenschert
    C.Tenschert
    2013-11-03

    other solution
    edit .gnupg/gpg.conf

    put an # in front of line

    use-agent