smartcard gpg error because of additional --no-use-agent and wrong --use-agent

2013-09-20
2013-11-03
  • Gerrit Leder

    Gerrit Leder - 2013-09-20

    Hello all,

    I have installed Enigmail with Thunderbird and ReinerSCT komfort
    Smartcard reader. In order to get GnuPG work with my Smartcard inserted,
    I had to add two command line parameters:
    --no-use-agent --disable-ccid

    I added these in the Enigmail configuration, too.

    Now I see an error when sending/signing a message: no SmartCard found in reader!

    This is because of the additional wrong command line parameter added by
    enigmail:
    --use-agent

    You can see the full gpg command in the following console snippet:

    Please remove the standard --use-agent from enigmail.
    Thanks and bye
    Gerrit Leder

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Initializing Enigmail service ...
    EnigmailAgentPath=/usr/bin/gpg

    enigmail> /usr/bin/gpg --version --version --batch --no-tty --charset
    utf-8 --display-charset utf-8
    gpg (GnuPG) 1.4.14
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    http://gnu.org/licenses/gpl.html
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Home: ~/.gnupg
    Unterstützte Verfahren:
    Öff. Schlüssel: RSA, RSA-E, RSA-S, ELG-E, DSA
    Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2

    EnigTest: START ********
    EnigTest: To: gerrit.leder@gmail.com
    TEST MESSAGE 123
    TEST MESSAGE 345

    enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8
    --disable-ccid --no-use-agent --batch --no-tty --status-fd 2 --comment
    Using GnuPG with undefined - http://www.enigmail.net/ -t --clearsign -u
    gerrit.leder@gmail.com --use-agent

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-20

    Enigmail version: 1.4

    Tested with enigmail version 1.5.2, error is now:
    Fehler - Verschlüsselung fehlgeschlagen
    (eng.: error - crypting not possible)

    Thanks
    Gerrit

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-20

    Now, after reboot, signing and sending email works fine!

    But: receiving crypted email from adele@gnupp.de is not possible to decrypt...
    I have imported public key from keyserver, but I think enigmail gets messed up with internationalization: public key in key management is english, while "from" address in email is german.

    If I set to manually select public key there is no given choice and potentially evaluatable public key of key trust is empty.

    Anybody a clue, how I get signing and decryption to work?

    Thanks again
    Gerrit

     
  • Patrick Brunschwig

    For decryption you don't need any public key, you only need your private key.

    I'd say the problem is still related to the first issue you had. Enigmail will unconditionally append --use-agent if the environment variable GPG_AGENT_INFO is set, i.e. if it detects that gpg-agent is configured and used. You will need to unset the env. variable to ensure that Enigmail would not try to use gpg-agent.

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-23

    Thanks Patrick,

    you are right: I need to access my secret key stored on smartcard to decrypt the test message.

    And I do not get Enigmail to decrypt and verify the signature. In fact it says:
    "OpenPGP-Sicherheitsinfo:

    Fehler - Überprüfung der Unterschrift fehlgeschlagen"

    And only mentiones the signature not the decryption.

    This all is tested with your hint of unsetting the environment variable in .bashrc:
    export GPG_AGENT_INFO=

    But in console it still has the two console parameters:
    --no-use-agent ... --use-agent

    Do you have another clue?

    Gerrit

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-23

    Hi again Patrick,

    now I am lost: the previously working message signing with my smartcard private key is now broken (again?).

    I rebooted, no way, but I noticed a change in Thunderbird version from 17 to 24.

    Can that be related?

    Bye
    Gerrit

     
  • Patrick Brunschwig

    You should not use "export var=", but "unset var" to not set it.

    There is no relevant difference in Enigmail between TB 17 and TB 24.

    I'd suggest you attach a debug log file, then I can possibly tell you more.

    See here for how to create a debug log file: https://www.enigmail.net/support/bugs.php#execTrace

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-26

    Thanks for the hints.

    I can read smartcard info with enigmail and decrypt with gpg on command line.
    I cannot sign/crypt/decrypt with enigmail.

    Here is the log!

    Bye
    Gerrit

     
  • Patrick Brunschwig

    You still have the GPG_AGENT_INFO environment variable set, thus Enigmail will forcibly use gpg-agent.

    You have to unset GPG_AGENT_INFO in your .xinitrc or .xsessionrc and make sure that the variable is really not set, otherwise you will not succeed.

     
  • Gerrit Leder

    Gerrit Leder - 2013-09-26

    I do unset GPG_AGENT_INFO in .xinitrc or .xsessionrc in Ubuntu, but in env it is still set!

    There seems to be other bugs with unsetting this variable, see here:
    https://bugs.launchpad.net/pygpgme/+bug/999949

    Gerrit

     
  • Gerrit Leder

    Gerrit Leder - 2013-10-03

    Hello Patrick,

    I have no way of disabling the env variable GPG_AGENT_INFO other than putting the unset command in .bashrc

    But this does not prevent thunderbird/enigmail from putting --use-agent to the gpg command line. Same for .xsessionrc and .xinitrc

    Could you please provide a nightly build without the option --use-agent in it?

    Thank you
    Gerrit

     
  • Patrick Brunschwig

    If --use-agent is still sent, then the variable is still set, or you activated the option to use gpg-agent. If you post another debug log file I'll check why Enigmail still uses --use-agent.

    I won't change the logic in Enigmail.

     
  • Gerrit Leder

    Gerrit Leder - 2013-10-05

    --use-agent is still sent, see attached log.
    env variable GPG_AGENT_INFO is unset in .xsessionrc
    The option you mentioned is not evaluated by enigmail, either set or unset, confirmed by a pop-up box.

    Why is an option used for a program that is not installed on my computer:
    leder@leder-HP-Pavilion-dv7-Notebook-PC:~$ gpg-agent
    Die Anwendung »gpg-agent« ist momentan nicht installiert. Sie können sie durch folgende Eingabe installieren:
    sudo apt-get install gnupg-agent

    Please have a look at my provided log!

    Thanks
    Gerrit

     
  • Patrick Brunschwig

    The variable is still set (see below). Unsetting it in .bashrc won't unset it for programs started via the GUI, this only works from the command line. I think that gnome-keyring or seahorse-agent is started. I would try uninstalling these tools.

    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent
    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO variable available
    2013-10-06 01:20:48.603 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='/run/user/1000/keyring-8tBmfa/gpg:0:1'
    
     
  • Gerrit Leder

    Gerrit Leder - 2013-10-06

    When I remove gnome-keyring or seahorse then the whole ubuntu-desktop will be removed, too. I cannot do that.

    Don't you think it is a pity that the command line option clash described in the ticket title breaks the use of smartcard?

     
  • Patrick Brunschwig

    Then I'd suggest one of the two following options:
    Try to set up Gnome keyring such that it's not started during the login process
    Write a wrapper shell script to launch Thunderbird which unsets GPG_AGENT_INFO

     
  • Gerrit Leder

    Gerrit Leder - 2013-10-07

    OK, I have written wrapper with unset GPG_AGENT_INFO and now the first signature w/ smartcard key works! Following signatures and any encryption does not work with the following error message:
    Sending of the message failed. Check account settings.

    How come?

     
  • Patrick Brunschwig

    That's most likely due to [bugs:#175], which will be fixed in the next release.

     

    Related

    Bugs: #175

  • Gerrit Leder

    Gerrit Leder - 2013-10-07

    Thanks a lot. Looking forward to next version of enigmail.
    Gerrit

     
  • Gerrit Leder

    Gerrit Leder - 2013-10-18

    Thanks for Version 1.6: smartcard support with above configuration works fine now. Here is what I did for Reiner SCT komfort smartcard reader:
    -install packages libifd-cyberjack6 and fxcyberjack under ubuntu
    -add the following lines to ~.gnupg/gpg.conf:

    #disable-ccid
    disable-ccid
    no-use-agent
    

    -Last line replaces original entry use-agent

    Go for it!

    P. S. it is a good idea to add a group named cyberjack and add the current user to this group. I do not know if ubuntu automagically does this. Please refer to documentation man for this.

     
    Last edit: Gerrit Leder 2013-10-21
  • Gerrit Leder

    Gerrit Leder - 2013-10-21

    One more hint -
    If the enigmail error debug console still shows command line option --use-agent here is what to do in Ubuntu linux
    - create dir ~/bin
    - cd bin
    - put file thunderbird with the following contents

    1
    2
    3
    #!/bin/bash
    unset GPG_AGENT_INFO
    /usr/bin/thunderbird
    
    • then
    chmod a+x ~/bin/thunderbird
    

    After logout/login e-mail and enigmail should work fine.

     
  • C.Tenschert

    C.Tenschert - 2013-11-03

    other solution
    edit .gnupg/gpg.conf

    put an # in front of line

    use-agent

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks