can't sign email, key ... not found or not valid

[Robert Munro]

I can't get the Thunderbird Enigmail OpenPGP extension using gnupg2 to work under KDE in Linux, Mageia 4.

Trying to send a signed email fails before displaying the passphrase prompt with the message:

Send operation aborted. Key <key-id> not found or not valid. The (sub)key might have expired</key-id>

With gnupg2 installed and Enigmail enabled in Thunderbird and OpenPGP preferences set to find /usr/bin/gpg2, all of the pieces appear to be in place. KDE starts the gpg-agent daemon and sets the environment variable GPG_AGENT_INFO and ~/.gnupg/gpg-agent-info to point to its socket, ~/.gnupg/gpg.conf specifies only the default gpg key and keyserver, ~/.gnupg/gpg-agent.conf contains "pinentry-program /usr/bin/pinentry-qt no-grab default-cache-ttl 1800" and /usr/bin/pinentry-qt is a symlink to /usr/bin/pinentry-qt4.

The default key exists in ~/.gnupg and is valid and not expired; I can view it with the command "gpg2 --list-keys" and it works if I uninstall gpg2 and fall back to using gpg.

After the error occurs, the OpenPGP Console shows:

enigmail> /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --comment "Using GnuPG with Thunderbird - http://www.enigmail.net/" -t --clearsign -u 0x[default key] --use-agent

Apparently gpg-agent never calls pinentry-qt because the passphrase prompt is not shown, so the OpenPGP Log file contains:

gpg: problem with the agent: No pinentry
ERROR get_passphrase 85
MISSING_PASSPHRASE

Is something missing or misconfigured? Or is this a bug in either Enigmail or gnupg2?

[Patrick Brunschwig]

gpg: problem with the agent: No pinentry

You need to install a graphical version of pinentry, such as pinentry-qt or pinentry-gtk. And you need to ensure that pinentry is a symlink to the graphical version of pinentry-xxx.

If these two are already set up correctly, then your ~/.gnupg/gpg-agent.conf contains a reference to a wrong pinentry tool.

[Robert Munro]

You need to install a graphical version of pinentry, such as pinentry-qt or
pinentry-gtk. And you need to ensure that pinentry is a symlink to the
graphical version of pinentry-xxx.

If these two are already set up correctly, then your ~/.gnupg/gpg-agent.conf
contains a reference to a wrong pinentry tool.

Here's what I've got:

$ ls -al /usr/bin/pinentry*
-rwxr-xr-x 1 root root   1939 Jan 14  2011 /usr/bin/pinentry*
-rwxr-xr-x 1 root root  50472 Oct 19 02:57 /usr/bin/pinentry-curses*
lrwxrwxrwx 1 root root     12 Feb  7 09:39 /usr/bin/pinentry-qt -> pinentry-qt4*
-rwxr-xr-x 1 root root 158160 Oct 19 02:57 /usr/bin/pinentry-qt4*

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-qt no-grab default-cache-ttl 1800

###+++--- GPGConf ---+++###
default-cache-ttl 600
max-cache-ttl 6000
###+++--- GPGConf ---+++### Sun 09 Feb 2014 04:31:22 PM PST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

Are you seriously suggesting that gpg-agent doesn't honor the gpg-agent.conf pinentry-program directive to call /usr/bin/pinentry-qt instead of pinentry? Are you really sure of this?

If so, that's a bug in gnupg2, and someone like you should file a bug report.

I hesitate to uninstall pinentry, since apparently a lot of KDE depends on it and uninstalling it would remove all of those KDE packages too. I'd also rather not just hack this by renaming pinentry and substituting a symlink to pinentry-qt4, as some programs might use pinentry and that could break those.

[Patrick Brunschwig]

what does the following command list concerning pinentry-program? (Note: it doesn't report anything on my Mac, but that could be Mac-specific)

gpgconf --list-options gpg-agent

[Robert Munro]

Here is everything I can find out through gpgconf.

$ gpgconf
gpg:GPG for OpenPGP:/usr/bin/gpg2
gpg-agent:GPG Agent:/usr/bin/gpg-agent
scdaemon:Smartcard Daemon:/usr/lib64/gnupg2/scdaemon
gpgsm:GPG for S/MIME:/usr/bin/gpgsm
dirmngr:Directory Manager:/usr/bin/dirmngr

That's the default, the same as running "gpgconf --list-components".

$ gpgconf --list-options gpg
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:4:0:verbose:0:0::::
quiet:0:0:be somewhat more quiet:0:0::::
Configuration:1:0:Options controlling the configuration:0:0::::
default-key:0:0:use NAME as default secret key:1:1:NAME:::"490D242C
encrypt-to:0:0:encrypt to user ID NAME as well:1:1:NAME:::"490D242C
group:4:1:set up email aliases:37:1:SPEC:::
Debug:1:1:Options useful for debugging:0:0::::
debug-level:18:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
log-file:0:1:write server mode logs to FILE:32:1:FILE:::
Keyserver:1:0:Configuration for Keyservers:0:0::::
keyserver:0:0:use keyserver at URL:1:1:URL:::"hkp%3a//pgp.mit.edu
auto-key-locate:0:1:use MECHANISMS to locate keys by mail address:1:1:MECHANISMS:::

The entries default-key and encrypt-to are set to my primary key-id, and keyserver is set to "pgp.mit.edu", as specified in my ~/.gnupg/gpg.conf file.

$ gpgconf --list-options gpg-agent
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:12:0:verbose:0:0::::
quiet:8:0:be somewhat more quiet:0:0::::
Configuration:1:0:Options controlling the configuration:0:0::::
disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
enable-ssh-support:0:0:enable ssh support:0:0::::
Debug:1:1:Options useful for debugging:0:0::::
debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
log-file:8:1:write server mode logs to FILE:32:1:FILE:::
Security:1:0:Options controlling the security:0:0::::
default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::600
default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::6000
max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0::::
no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0::::
no-grab:8:2:do not grab keyboard and mouse:0:0::::
Passphrase policy:1:1:Options enforcing a passphrase policy:0:0::::
enforce-passphrase-constraints:8:2:do not allow to bypass the passphrase policy:0:0::::
min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8::
min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1::
check-passphrase-pattern:24:2:check new passphrases against pattern in FILE:32:1:FILE:::
max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0::
enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0::::

There's no pinentry-program entry in the gpg-agent parameters maintained by gpgconf, although that's one thing you'd think gnupg2 would want to record.

$ gpgconf --check-programs
gpg:GPG for OpenPGP:/usr/bin/gpg2:1:1:
gpg-agent:GPG Agent:/usr/bin/gpg-agent:1:1:
scdaemon:Smartcard Daemon:/usr/lib64/gnupg2/scdaemon:1:1:
gpgsm:GPG for S/MIME:/usr/bin/gpgsm:1:1:::keybox `/home/ram/.gnupg/pubring.kbx' created:
dirmngr:Directory Manager:/usr/bin/dirmngr:1:1:

It didn't complain about anything here, and even created an S/MIME keyring.

$ gpgconf --check-options gpg
gpg:GPG for OpenPGP:/usr/bin/gpg2:1:1:

$ gpgconf --check-options gpg-agent
gpg-agent:GPG Agent:/usr/bin/gpg-agent:1:1:

No complaints.

gpgconf --check-config
gpgconf: can not open global config file `/etc/gnupg/gpgconf.conf': No such file or directory

Hmmm. I checked the gnupg and gnupg2 packages, and the gpgconf.conf file is not included in either of them. There is no ~/.gnupg/gpgconf.conf file.

[Robert Munro]

Below is my entire enigdbug.txt file. I would have attached the file instead, but "add attachments" apparently doesn't work here at Sourceforge in forums.

$ cat enigdbug.txt
2014-02-12 17:34:46.980 [DEBUG] enigmail.js: Logging debug output to /home/ram/enigdbug.txt
2014-02-12 17:34:46.980 [DEBUG] enigmail.js: Enigmail version 1.6
2014-02-12 17:34:46.980 [DEBUG] enigmail.js: OS/CPU=Linux x86_64
2014-02-12 17:34:46.980 [DEBUG] enigmail.js: Platform=X11
2014-02-12 17:34:46.981 [DEBUG] enigmail.js: Enigmail.initialize: Ec.envList = DISPLAY=:0,HOME=/home/ram,LANG=en_US.UTF-8,LANGUAGE=en_US.UTF-8:en_US:en,LC_COLLATE=en_US.UTF-8,LC_CTYPE=en_US.UTF-8,LC_MESSAGES=en_US.UTF-8,LC_MONETARY=en_US.UTF-8,LC_NUMERIC=en_US.UTF-8,LC_TIME=en_US.UTF-8,LOGNAME=ram,NLSPATH=/usr/share/locale/%l/%N,PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin/:/usr/games:/usr/lib64/qt4/bin:/home/ram/bin,PWD=/home/ram,SHELL=/bin/bash,TMP=/tmp,TMPDIR=/tmp,USER=ram
2014-02-12 17:34:46.981 [DEBUG] gpgAgentHandler.jsm: resetGpgAgent
2014-02-12 17:34:46.981 [CONSOLE] EnigmailAgentPath=/usr/bin/gpg2

2014-02-12 17:34:46.981 [DEBUG] enigmail.js: Enigmail.setAgentPath: calling subprocess with '/usr/bin/gpg2'
2014-02-12 17:34:47.048 [CONSOLE] enigmail> /usr/bin/gpg2 --version --version --batch --no-tty --charset utf-8 --display-charset utf-8
2014-02-12 17:34:47.049 [CONSOLE] gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

2014-02-12 17:34:47.049 [DEBUG] enigmail.js: detected GnuPG version '2.0.22'
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: Enigmail.setAgentPath: gpgconf found: yes
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: detectGpgAgent
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO variable available
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='/tmp/gpg-GvDCox/S.gpg-agent:1932:1'
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:34:47.049 [DEBUG] enigmailCommon.jsm: stillActive: 
2014-02-12 17:34:47.050 [DEBUG] enigmail.js: Enigmail.initialize: END
2014-02-12 17:34:47.050 [DEBUG] enigmailCommon.js: getService: 1.6
2014-02-12 17:34:47.050 [DEBUG] enigmailCommon.jsm: getVersion
2014-02-12 17:34:47.050 [DEBUG] enigmailCommon.jsm: installed version: 1.6
2014-02-12 17:34:47.050 [DEBUG] pref-enigmail.js displayPrefs
2014-02-12 17:34:47.050 [DEBUG] pref-enigmail.js displayPrefs: keepSettingsForReply=true
2014-02-12 17:34:47.051 [DEBUG] pref-enigmail.js displayPrefs: agentAdditionalParam=
2014-02-12 17:34:47.051 [DEBUG] pref-enigmail.js displayPrefs: recipientsSelection=3
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: alwaysTrustSend=true
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: allowEmptySubject=false
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: doubleDashSeparator=true
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: useGpgAgent=false
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: hushMailSupport=false
2014-02-12 17:34:47.052 [DEBUG] pref-enigmail.js displayPrefs: keyserver=pgp.mit.edu
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: logDirectory=/home/ram
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: advancedUser=true
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: noPassphrase=false
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: confirmBeforeSend=true
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: useDefaultComment=false
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: autoKeyRetrieve=pgp.mit.edu
2014-02-12 17:34:47.053 [DEBUG] pref-enigmail.js displayPrefs: encryptToSelf=true
2014-02-12 17:34:47.054 [DEBUG] pref-enigmail.js displayPrefs: agentPath=/usr/bin/gpg2
2014-02-12 17:34:47.054 [DEBUG] pref-enigmail.js displayPrefs: wrapHtmlBeforeSend=true
2014-02-12 17:34:47.054 [DEBUG] gpgAgentHandler.jsm: isAgentTypeGpgAgent:
2014-02-12 17:34:47.140 [DEBUG] gpgAgentHandler.jsm: isAgentTypeGpgAgent: pid=1932
2014-02-12 17:34:47.140 [DEBUG] gpgAgentHandler.jsm: isCmdGpgAgent:
2014-02-12 17:34:47.140 [DEBUG] gpgAgentHandler.jsm: resolvePath: filePath=ps
2014-02-12 17:34:47.140 [DEBUG] gpgAgentHandler.jsm: resolvePath: checking for /usr/bin/ps
2014-02-12 17:34:47.197 [DEBUG] gpgAgentHandler.jsm: isCmdGpgAgent: got data: 'COMMAND
gpg-agent
'
2014-02-12 17:34:47.197 [DEBUG] gpgAgentHandler.jsm: isCmdGpgAgent:
2014-02-12 17:34:47.197 [DEBUG] gpgAgentHandler.jsm: resolvePath: filePath=ps
2014-02-12 17:34:47.198 [DEBUG] gpgAgentHandler.jsm: resolvePath: checking for /usr/bin/ps
2014-02-12 17:34:47.260 [DEBUG] gpgAgentHandler.jsm: isCmdGpgAgent: got data: 'COMMAND
gpg-agent
'
2014-02-12 17:34:47.260 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle:
2014-02-12 17:34:47.321 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: Monitor:1:0:Options controlling the diagnostic output:0:0::::
2014-02-12 17:34:47.321 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: verbose:12:0:verbose:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: quiet:8:0:be somewhat more quiet:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: Configuration:1:0:Options controlling the configuration:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: enable-ssh-support:0:0:enable ssh support:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: Debug:1:1:Options useful for debugging:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: log-file:8:1:write server mode logs to FILE:32:1:FILE:::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: Security:1:0:Options controlling the security:0:0::::
2014-02-12 17:34:47.322 [DEBUG] gpgAgentHandler.jsm: getAgentMaxIdle: line: default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::600
2014-02-12 17:34:47.323 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:34:47.323 [DEBUG] commonFuncs.jsm: collapseAdvanced:
2014-02-12 17:34:47.323 [DEBUG] commonFuncs.jsm: collapseAdvanced:
2014-02-12 17:34:47.324 [DEBUG] enigmailCommon.js: EnigDisplayRadioPref: recipientsSelection, 3
2014-02-12 17:48:08.851 [DEBUG] enigmailMessengerOverlay.js: setAttachmentReveal
2014-02-12 17:48:08.855 [DEBUG] enigmailMessengerOverlay.js: setAttachmentReveal
2014-02-12 17:48:11.769 [DEBUG] enigmailMsgComposeOverlay.js: _enigmail_composeWindowInit
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: got load event
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.composeStartup
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.setIdentityDefaults
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.780 [DEBUG] enigmailCommon.jsm: getSignMsg: identity.key=id1
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.setSendDefaultOptions
2014-02-12 17:48:11.780 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=encrypt
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: encrypt=0
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=signPlain
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: signPlain=true
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=pgpMimeMode
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: pgpMimeMode=false
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=attachPgpKey
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: attachPgpKey=false
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.781 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.msgComposeReset
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.setIdentityDefaults
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.782 [DEBUG] enigmailCommon.jsm: getSignMsg: identity.key=id1
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.setSendDefaultOptions
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=encrypt
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: encrypt=0
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=signPlain
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: signPlain=true
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=pgpMimeMode
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: pgpMimeMode=false
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=attachPgpKey
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: attachPgpKey=false
2014-02-12 17:48:11.782 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:11.783 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.783 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.composeOpen
2014-02-12 17:48:11.783 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:11.783 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:11.974 [DEBUG] enigmailMsgComposeOverlay.js: ECSL.NotifyComposeFieldsReady
2014-02-12 17:48:12.041 [DEBUG] enigmailMsgComposeOverlay.js: ECSL.ComposeBodyReady
2014-02-12 17:48:12.041 [DEBUG] enigmailMsgComposeOverlay.js: EDSL.NotifyDocumentStateChanged: isEmpty=true, isEditable=true
2014-02-12 17:48:12.090 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.fireSendFlags
2014-02-12 17:48:12.091 [DEBUG] enigmailCommon.jsm: dispatchEvent f=_sendFlagWrapper
2014-02-12 17:48:12.103 [DEBUG] enigmailCommon.jsm: dispatchEvent running mainEvent
2014-02-12 17:48:12.105 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.focusChange: Enigmail.msg.determineSendFlags
2014-02-12 17:48:12.105 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:12.105 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:12.105 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:29.941 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.fireSendFlags
2014-02-12 17:48:29.941 [DEBUG] enigmailCommon.jsm: dispatchEvent f=_sendFlagWrapper
2014-02-12 17:48:29.942 [DEBUG] enigmailCommon.jsm: dispatchEvent running mainEvent
2014-02-12 17:48:29.942 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.focusChange: Enigmail.msg.determineSendFlags
2014-02-12 17:48:29.942 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:29.943 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:29.943 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:38.506 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.fireSendFlags
2014-02-12 17:48:38.506 [DEBUG] enigmailCommon.jsm: dispatchEvent f=_sendFlagWrapper
2014-02-12 17:48:38.507 [DEBUG] enigmailCommon.jsm: dispatchEvent running mainEvent
2014-02-12 17:48:38.507 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.focusChange: Enigmail.msg.determineSendFlags
2014-02-12 17:48:38.507 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:38.508 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.updateStatusBar:
2014-02-12 17:48:38.508 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:49.979 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.sendMessageListener
2014-02-12 17:48:49.980 [DEBUG] enigmailCommon.jsm: getVersion
2014-02-12 17:48:49.980 [DEBUG] enigmailCommon.jsm: installed version: 1.6
2014-02-12 17:48:49.980 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.modifyCompFields: otherRandomHeaders = X-Enigmail-Version: 1.6

2014-02-12 17:48:49.980 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: msgType=0, Enigmail.msg.sendMode=1
2014-02-12 17:48:49.980 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: currentId=[nsIMsgIdentity: id1], ramunro@speakeasy.net
2014-02-12 17:48:49.980 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg:gMsgCompose=[xpconnect wrapped nsIMsgCompose]
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.keySelection
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=signPlain
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: signPlain=true
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.keySelection: recipientsSelection= 3 / toAddr=spamtrap@speakeasy.net
2014-02-12 17:48:49.981 [DEBUG] enigmailMsgComposeOverlay.js: hasAttachments = false
2014-02-12 17:48:49.984 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetContentAs
2014-02-12 17:48:49.984 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.replaceEditorText:
2014-02-12 17:48:49.986 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:48:49.988 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:48:49.989 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetContentAs
2014-02-12 17:48:49.989 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetCharset
2014-02-12 17:48:49.989 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: charset=ISO-8859-1
2014-02-12 17:48:49.989 [DEBUG] enigmail.js: Enigmail.encryptMessage: 13 bytes from 0x490D242C to spamtrap@speakeasy.net (97)
2014-02-12 17:48:49.989 [DEBUG] enigmailCommon.jsm: encryptMessageStart: uiFlags=1, from 0x490D242C to spamtrap@speakeasy.net, hashAlgorithm=null (00000061)
2014-02-12 17:48:49.989 [DEBUG] enigmailCommon.jsm: getEncryptCommand: hashAlgorithm=null
2014-02-12 17:48:49.990 enigmailCommon.jsm: execStart: command = /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --comment "Using GnuPG with Thunderbird - http://www.enigmail.net/" -t --clearsign -u 0x490D242C, needPassphrase=1, domWindow=[object ChromeWindow], listener=[object Object]
2014-02-12 17:48:49.990 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:49.990 [DEBUG] enigmailCommon.jsm: getPassphrase:
2014-02-12 17:48:49.990 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:49.990 [CONSOLE] enigmail> /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --comment "Using GnuPG with Thunderbird - http://www.enigmail.net/" -t --clearsign -u 0x490D242C --use-agent
2014-02-12 17:48:50.063 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:50.068 [ERROR] subprocess.jsm: got error from stdinWorker: error: write failed, errno=32
2014-02-12 17:48:59.496 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.sendMessageListener
2014-02-12 17:48:59.496 [DEBUG] enigmailCommon.jsm: getVersion
2014-02-12 17:48:59.496 [DEBUG] enigmailCommon.jsm: installed version: 1.6
2014-02-12 17:48:59.496 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.modifyCompFields: otherRandomHeaders = X-Enigmail-Version: 1.6

2014-02-12 17:48:59.496 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: msgType=0, Enigmail.msg.sendMode=1
2014-02-12 17:48:59.497 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: currentId=[nsIMsgIdentity: id1], ramunro@speakeasy.net
2014-02-12 17:48:59.497 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=enabled
2014-02-12 17:48:59.497 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg:gMsgCompose=[xpconnect wrapped nsIMsgCompose]
2014-02-12 17:48:59.497 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.keySelection
2014-02-12 17:48:59.497 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: identity=id1 value=signPlain
2014-02-12 17:48:59.498 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.getAccDefault: signPlain=true
2014-02-12 17:48:59.498 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.keySelection: recipientsSelection= 3 / toAddr=spamtrap@speakeasy.net
2014-02-12 17:48:59.498 [DEBUG] enigmailMsgComposeOverlay.js: hasAttachments = false
2014-02-12 17:48:59.501 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetContentAs
2014-02-12 17:48:59.501 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.replaceEditorText:
2014-02-12 17:48:59.503 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:48:59.505 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:48:59.505 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetContentAs
2014-02-12 17:48:59.506 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorGetCharset
2014-02-12 17:48:59.506 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptMsg: charset=ISO-8859-1
2014-02-12 17:48:59.506 [DEBUG] enigmail.js: Enigmail.encryptMessage: 13 bytes from 0x490D242C to spamtrap@speakeasy.net (97)
2014-02-12 17:48:59.506 [DEBUG] enigmailCommon.jsm: encryptMessageStart: uiFlags=1, from 0x490D242C to spamtrap@speakeasy.net, hashAlgorithm=null (00000061)
2014-02-12 17:48:59.506 [DEBUG] enigmailCommon.jsm: getEncryptCommand: hashAlgorithm=null
2014-02-12 17:48:59.507 enigmailCommon.jsm: execStart: command = /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --comment "Using GnuPG with Thunderbird - http://www.enigmail.net/" -t --clearsign -u 0x490D242C, needPassphrase=1, domWindow=[object ChromeWindow], listener=[object Object]
2014-02-12 17:48:59.507 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:59.507 [DEBUG] enigmailCommon.jsm: getPassphrase:
2014-02-12 17:48:59.507 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:59.507 [CONSOLE] enigmail> /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --comment "Using GnuPG with Thunderbird - http://www.enigmail.net/" -t --clearsign -u 0x490D242C --use-agent
2014-02-12 17:48:59.593 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2014-02-12 17:48:59.594 [ERROR] subprocess.jsm: trying to write data to closed stdin2014-02-12 17:48:59.595 [DEBUG] enigmailCommon.jsm: encryptMessageEnd: uiFlags=1, sendFlags=00000061, outputLen=0
2014-02-12 17:48:59.595 [DEBUG] enigmailCommon.jsm: parseErrorOutput: status message: [GNUPG:] USERID_HINT FAA60C21490D242C Robert Alan Munro (IT management consultant, journalist, author.) <ramunro@speakeasy.net>
[GNUPG:] NEED_PASSPHRASE FAA60C21490D242C FAA60C21490D242C 17 0
gpg: problem with the agent: No pinentry
[GNUPG:] ERROR get_passphrase 85
[GNUPG:] MISSING_PASSPHRASE
gpg: skipped "0x490D242C": Operation cancelled
[GNUPG:] INV_SGNR 0 0x490D242C
gpg: [stdin]: clearsign failed: Operation cancelled

2014-02-12 17:48:59.595 [DEBUG] enigmailCommon.jsm: parseErrorOutput: detected invalid sender: 0x490D242C / code: 0
2014-02-12 17:48:59.596 [DEBUG] enigmailCommon.jsm: parseErrorOutput: statusFlags = 00410802
2014-02-12 17:48:59.596 [DEBUG] enigmailCommon.jsm: encryptMessageEnd: command execution exit code: -1
2014-02-12 17:48:59.596 [DEBUG] enigmail.js: Enigmail.encryptMessage: command execution exit code: -1
2014-02-12 17:48:59.596 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.replaceEditorText:
2014-02-12 17:48:59.598 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:48:59.600 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.editorInsertText
2014-02-12 17:49:03.518 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.removeAttachedKey: 
2014-02-12 17:49:10.547 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.msgComposeClose
2014-02-12 17:49:10.547 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.msgComposeReset

[Patrick Brunschwig]

I'm sorry, but the only thing I can see is:
[GNUPG:] NEED_PASSPHRASE FAA60C21490D242C FAA60C21490D242C 17 0
gpg: problem with the agent: No pinentry

This line in the log file tells you about gpg-agent:
2014-02-12 17:34:47.049 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='/tmp/gpg-GvDCox/S.gpg-agent:1932:1'

You could try this in a shell:

export GPG_AGENT_INFO=<whatever is current in the log file>
/usr/bin/gpg2 --clearsign < EOT
test
EOT

You should then be prompted for your passphrase or get an error about pinentry.

[Robert Munro]

I got an error about pinentry, suggesting that gpg-agent isn't calling it.

$ env | grep "GPG*"
GPG_AGENT_INFO=/tmp/gpg-GvDCox/S.gpg-agent:1932:1

That's already in my environment variables, so no need to export it again, and doing that doesn't help.

$ /usr/bin/gpg2 --clearsign

You need a passphrase to unlock the secret key for
user: "Robert Alan Munro (IT management consultant, journalist, author.) <ramunro@speakeasy.net>"
1024-bit DSA key, ID 490D242C, created 2003-12-28

gpg: problem with the agent: No pinentry
gpg: no default secret key: Operation cancelled
gpg: [stdin]: clearsign failed: Operation cancelled

It appears that gpg-agent is not calling /usr/bin/pinentry-qt but instead fails, and gpg2 returns the passphrase prompt to the caller, which is the bash shell here.

Why isn't gpg-agent using the "pinentry-program /usr/bin/pinentry-qt [...]" directive that is in my ~/.gnupg/gpg-agent.conf file?

Here is what ps displays about gpg-agent:

$ ps -eM u | grep gpg-agent
-                               ram       1932  0.0  0.0  17372   904 ?        Ss   Feb09   0:06 gpg-agent --keep-display --daemon --write-env-file /home/ram/.gnupg/gpg-agent-info

[Patrick Brunschwig]

I'm not sure, but it may be that either gpg-agent was started before you modified gpg-agent.conf, or gpg-agent is simply ignoring the config option.

I'd suggest you start with symlinking pinentry-qt -> pinentry

[Robert Munro]

I've solved the problem. Here is my modified ~/.gnupg/gpg-agent.conf without the parameter "no-grab":

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 1800
max-cache-ttl 3600

I'm looking into how "no-grab" was added to gpg-agent.conf, but that's definitely what was preventing pinentry-qt from requesting the passphrase.

The parameter "keep-display" is also required by gpg-agent for pinentry-qt to work, but my Linux distribution passes "--keep-display" as a command-line parameter when it starts gpg-agent.

Thanks for helping me figure this out.