I've been using enigmail with a YubiKey 4 for a little while now, and it works pretty well.
I have two related complaints though :
Enigmail always, always asks for pin. I've tried everything, but for some reason it won't talk to the gpg-agent. I'm using gpg 2.2.4 (I've read threads about v1 / v2 for this)
When I reply to an email, including the original email, enigmail signs twice. The end result is fine, it works as expected, but it asks for my pin twice and I have to touch the yubikey twice. Would not be a huge deal if my first problem was solved though, but as it stands having to type the ping twice is a pain :)
If anyone has ideas on how to solve one of those problems, I'd be great.
Thanks !
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Concerning the double signing: for PGP/MIME signed messages, Enigmail needs to determine the used hash algorithm (as that's part of the PGP/MIME header). This can only be done by creating a test signature and extracting the hash algorithm for the generated message. That's why you are asked twice for the PIN.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I should have specified it, but gpg outside of enigmail works just fine.
I use it by hand, I use it as my ssh-agent and everything and it doesn't ask me my PIN everytime, that's only from enigmail.
No way to avoid the double signing then ? Can't I configure that somewhere explicitly, to avoid enigmail figuring it out itself ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's hard to tell what could go wrong. What is clear to me is that gpg when started from Enigmail uses a different gpg-agent than when starting from the command line. There can be several reasons for this:
* a wrong environment variable like GNUPGHOME or GPG_AGENT_INFO
* a wrong --homedir parameter setting in the Enigmail preferences
* Enigmail uses a different installation of GnuPG than you use from the command line
As far as I can tell from the debug log, it seems okay.
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detected GnuPG version '2.2.4'
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Enigmail.setAgentPath: gpgconf found: yes
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: no GPG_AGENT_INFO variable set
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: gpg 2.0.16 or newer - not starting agent
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='none'
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Enigmail.initialize: END
Correct gpg home, GNUPGHOME and GPG_AGENT_INFO are both empty (does enigmail expect them to be set for some reason ? That doesn't seem to be a problem for the regular gpg binary usually. Not even sure how I'd do that tbh).
I don't have any special settings in enigmail, I just tried specifying the gpg path myself just in case (it was using /usr/bin/gpg2 and I use /usr/bin/gpg, it's the same binary but who knows) but it doesn't help. The additionnal parameters box in the settings is just empty
Last edit: Ulrar 2018-04-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The needPassphrase=1 is more for historical reason. It means that Enigmail assumes that this is an operation that requires a passphrase. Whether or not gpg will actually ask for a passphrase or take it from gpg-agent is up to gpg.
Tthe interesting part of the log would be the output from gpg from this call.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Not sure up to where it's relevant, but as far as I can tell nothing interesting in there, it just says pinentrey launched (it does that twice of course, and both times the output is the same).
Here :
I've had to switch to pinentry gtk, apparently it's not smart enough to launch a terminal if pinentry ncurses is selected, but I guess that's not enigmail's fault.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It looks like gpg doesn't print out enough to be sure. Could you add the following line to your gpg.conf file? It's only for a test, please remove it afterwards, as debugging output can cause undesired side effects to Enigmail.
verbose
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just did that, basically the same output but it talks about considering keys, ant settles on using a subkey instead of the master key. No informations about why it asks the passphrase, unfortunatly
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I've been using enigmail with a YubiKey 4 for a little while now, and it works pretty well.
I have two related complaints though :
Enigmail always, always asks for pin. I've tried everything, but for some reason it won't talk to the gpg-agent. I'm using gpg 2.2.4 (I've read threads about v1 / v2 for this)
When I reply to an email, including the original email, enigmail signs twice. The end result is fine, it works as expected, but it asks for my pin twice and I have to touch the yubikey twice. Would not be a huge deal if my first problem was solved though, but as it stands having to type the ping twice is a pain :)
If anyone has ideas on how to solve one of those problems, I'd be great.
Thanks !
The problem with your complaint is that Enigmail doesn't talk to gpg-agent. Enigmail calls gpg, and gpg may talk to gpg-agent whenever it feels like.
I assume that for whatever reason, gpg-agent is terminated after each call from gpg. I'd recommend you read the FAQ articles about solving issues with gpg-agent.
Concerning the double signing: for PGP/MIME signed messages, Enigmail needs to determine the used hash algorithm (as that's part of the PGP/MIME header). This can only be done by creating a test signature and extracting the hash algorithm for the generated message. That's why you are asked twice for the PIN.
I should have specified it, but gpg outside of enigmail works just fine.
I use it by hand, I use it as my ssh-agent and everything and it doesn't ask me my PIN everytime, that's only from enigmail.
No way to avoid the double signing then ? Can't I configure that somewhere explicitly, to avoid enigmail figuring it out itself ?
If it helps :
enable-ssh-support
use-standard-socket
default-cache-ttl 86400
max-cache-ttl 864000
As you can see, my gpg-agent.conf is already valid.
It's hard to tell what could go wrong. What is clear to me is that gpg when started from Enigmail uses a different gpg-agent than when starting from the command line. There can be several reasons for this:
* a wrong environment variable like GNUPGHOME or GPG_AGENT_INFO
* a wrong --homedir parameter setting in the Enigmail preferences
* Enigmail uses a different installation of GnuPG than you use from the command line
Maybe it helps to check the debugging log file
As far as I can tell from the debug log, it seems okay.
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/my_user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detected GnuPG version '2.2.4'
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Enigmail.setAgentPath: gpgconf found: yes
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: no GPG_AGENT_INFO variable set
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: gpg 2.0.16 or newer - not starting agent
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: detectGpgAgent: GPG_AGENT_INFO='none'
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Setting useAgent to true for gpg2 >= 2.0.16
2018-04-11 12:57:13.602 [DEBUG] enigmail.js: Enigmail.initialize: END
Correct gpg home, GNUPGHOME and GPG_AGENT_INFO are both empty (does enigmail expect them to be set for some reason ? That doesn't seem to be a problem for the regular gpg binary usually. Not even sure how I'd do that tbh).
I don't have any special settings in enigmail, I just tried specifying the gpg path myself just in case (it was using /usr/bin/gpg2 and I use /usr/bin/gpg, it's the same binary but who knows) but it doesn't help. The additionnal parameters box in the settings is just empty
Last edit: Ulrar 2018-04-11
You need to check a little deeper and see gpg in action. This is not
much more than "Enigmail has found gpg".
That then ?
2018-04-11 12:57:35.362 execution.jsm: execStart: command = /usr/bin/gpg --charset utf-8 --display-charset utf-8 --use-agent --batch --no-tty --status-fd 2 -t --clearsign -u 0x<id>, needPassphrase=1, domWindow=[object ChromeWindow], listener=[object Object]</id>
The needPassphrase=1 here seems weird.
The needPassphrase=1 is more for historical reason. It means that Enigmail assumes that this is an operation that requires a passphrase. Whether or not gpg will actually ask for a passphrase or take it from gpg-agent is up to gpg.
Tthe interesting part of the log would be the output from gpg from this call.
Not sure up to where it's relevant, but as far as I can tell nothing interesting in there, it just says pinentrey launched (it does that twice of course, and both times the output is the same).
Here :
2018-04-12 09:28:56.660 [DEBUG] encryption.jsm: getEncryptCommand: hashAlgorithm=null
2018-04-12 09:28:56.661 execution.jsm: execStart: command = /usr/bin/gpg --charset utf-8 --display-charset utf-8 --use-agent --batch --no-tty --status-fd 2 -t --clearsign -u 0xkey, needPassphrase=1, domWindow=[object ChromeWindow], listener=[object Object]
2018-04-12 09:28:56.661 [CONSOLE] enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8 --use-agent --batch --no-tty --status-fd 2 -t --clearsign -u 0xkey
2018-04-12 09:28:56.662 [DEBUG] enigmail> DONE
2018-04-12 09:29:01.886 [DEBUG] encryption.jsm: encryptMessageEnd: uiFlags=16, sendFlags=00000101, outputLen=10
2018-04-12 09:29:01.886 [DEBUG] errorHandling.jsm: parseErrorOutputWith: status message:
[GNUPG:] KEY_CONSIDERED key 0
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 15025 unknown 0.9.7 ? ? ?
[GNUPG:] SIG_CREATED C 1 8 01 1523521736 key
2018-04-12 09:29:01.891 [DEBUG] errorHandling.jsm: parseErrorOutputWith: statusFlags = 40000000
2018-04-12 09:29:01.891 [DEBUG] errorHandling.jsm: parseErrorOutputWith: return with c.errorMsg =
2018-04-12 09:29:01.891 [DEBUG] execution.jsm: EnigmailExecution.fixExitCode: agentType: gpg exitCode: 0 statusFlags 1073741824
2018-04-12 09:29:01.891 [DEBUG] encryption.jsm: encryptMessageEnd: command execution exit code: 0
I've had to switch to pinentry gtk, apparently it's not smart enough to launch a terminal if pinentry ncurses is selected, but I guess that's not enigmail's fault.
It looks like gpg doesn't print out enough to be sure. Could you add the following line to your gpg.conf file? It's only for a test, please remove it afterwards, as debugging output can cause undesired side effects to Enigmail.
Just did that, basically the same output but it talks about considering keys, ant settles on using a subkey instead of the master key. No informations about why it asks the passphrase, unfortunatly