[lucid] gpg-agent prevents unprotection of passphrases

to reproduce the error (you should backup your ~/.ssh/authorized_keys file):

eval "$(gpg-agent --daemon --enable-ssh-support)"
ssh-keygen -C "test key" -f test_key
ssh-add test_key
cat test_key.pub > ~/.ssh/authorized_keys
ssh localhost

please add this patch to lucid, it is really important to me

As long as no officially patched packages are released you can use mine. Only the gpg-agent package needs to be installed.

https://launchpad.net/~joke/+archive/bugfixes/+sourcepub/1085501/+listing-archive-extra

https://launchpad.net/~joke/+archive/bugfixes/+files/gnupg-agent_2.0.14-1ubuntu2~joke2_i386.deb
https://launchpad.net/~joke/+archive/bugfixes/+files/gnupg-agent_2.0.14-1ubuntu2~joke2_amd64.deb

I need to import a new private-key for university communication. Using the certificate is mandatory at our faculty. This is a security related issue and should be treated with priority. Not to be able to use gpgsm is a real show stopper...

The patch is available: http://marc.info/?l=gnupg-users&m=126451730710129&w=2

Thanks!

I used package from Joke de Buhr gnupg-agent_2.0.14-1ubuntu2~joke2_i386.deb - didn't help.

You need to delete the key. Then re-add the key once more.

If what doesn't work I need to check if I made a mistake while apply the patch.

That's what I did I deleted manualy keys from ~/.gnupg/private-keys-v1.d and also via gui from Kleopatra, then restarted KDE session, checked that no gpg-agent is runinng. Again imported keys and tried to send a signed email message and got again "Bad passphrase"

I think that should have done the trick. I'm going to investigate if I missed something during package building. I having been adding new keys since I built the package. I added my key using a locally patched version of gnupg.

I'm adding the new packages here as soon as I'm finished.

I will provide some details: I installed patched binary from Joke de Buhr then after I removed all keys and restarted KDE session, checked that no gpg-agent is running, I imported keys with:

gpgsm --import newkey.p12

everything seemed to be OK, passphrase to unprotect, then 2x passphrase to protect, import successful...

But no way to sign email message in kmail:

  5 - 2010-06-15 10:51:28 gpg-agent[1489]: starting a new PIN Entry
  5 - 2010-06-15 10:51:28 gpg-agent[1489]: DBG: connection to PIN entry established
  5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: -> INQUIRE PINENTRY_LAUNCHED 3057
  5 - 2010-06-15 10:51:28 gpg-agent[1489.6] DBG: <- END
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to unprotect the secret key: Bad passphrase
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: failed to read the secret key
  5 - 2010-06-15 10:51:36 gpg-agent[1489]: command pksign failed: Bad passphrase
  5 - 2010-06-15 10:51:36 gpg-agent[1489.6] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056]: error creating signature: Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> ERR 67108875 Bad passphrase <GPG Agent>
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: <- BYE
  4 - 2010-06-15 10:51:36 gpgsm[3056.0] DBG: -> OK closing connection

I just rebuilt the package. I tested it by adding ssh keys. I think it should work with gpgsm --import as well. But I'm not absolutely sure because I'm not a gnupg developer.

The new packages are available. You should install all three packages: gnupg2, gpg-agent and gpgsm. This may be the reason you had trouble with gpgsm the last time.

https://launchpad.net/~joke/+archive/bugfixes/+sourcepub/1173565/+listing-archive-extra

Please report if the updated package solves the problem. If it doesn't report it too.

Installing all three packages solved the problem, thank you very much. Hope that official package will be fixed soon, too.

Unfortunately the maintainer continues using the unpatched gnupg 2.0.14 release in maverick. If he doesn't consider switching to gnupg 2.0.15 any time soon or at least importing this patch, ubuntu maverick will still face this bug.

Any chance there will be a fixed 2.0.14 or even better 2.0.15 package for Ubuntu Lucid? This bug makes it impossible to use gpgsm for S/MIME.

If you need to use gpgsm just use the fixed package I built (see post #11). As said earlier the ubuntu maintainer doesn't seem to care fixing the bug.

Packages in Ubuntu are team-maintained, so there isn't one person acting as "the" maintainer. Some packages have more people looking at them, other less.
I'll try to find some time to prepare an SRU for this (i.e. 2.0.14 + this patch). 2.0.15 could only be made available to lucid as a backport from maverick (once maverick has 2.0.15).

Here is a debdiff with the upstream patch for lucid. It looks bigger as it really is as the debian-changes patch got regenerated (and debian-changes-2.0.14-1ubuntu1 needed to get merged with it) as gnupg2 uses the "single-debian-patch" option.

Sponsored. Michael, next time please subscribe the sponsoring team if you need sponsoring.

This was fixed in 2.0.14-1.1 which is in maverick.

Accepted gnupg2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I can confirm that the gnupg2 and gnupg-agent packages in lucid-proposed allow me to use gpg-agent as an ssh-agent.

This bug was fixed in the package gnupg2 - 2.0.14-1ubuntu1.1

---------------
gnupg2 (2.0.14-1ubuntu1.1) lucid-proposed; urgency=low

  * Fix a regression in gnupg2 2.0.14 which prevents unprotection of new or
    changed gpg-agent passphrases. Patch provided by Werner Koch (upstream)
    (lp: #567106).
 -- Michael Bienia <email address hidden> Sat, 19 Jun 2010 11:01:30 +0200