Debian Bug report logs - #760102
gnome-keyring: please build with --disable-gpg-agent

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnome-keyring: Breaks gpg-agent with no UI to disable

Date: Sun, 31 Aug 2014 19:47:18 +0100

Package: gnome-keyring
Version: 3.12.2-1
Severity: important

Since a recent upgrade (sorry, not 100% clear when this happened but I
do update fairly frequently) gnome-keyring has started providing a GnuPG
agent.  This is breaking my usage of my system as gnome-keyring does not
appear to support GnuPG smartcards as gpg-agent does and my day to day
work is heavily dependent on being able to use one.  For example signing
e-mail causes this:

| gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
| gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
| gpg: selecting openpgp failed: Unsupported certificate
| gpg: signing failed: Unsupported certificate
| gpg: signing failed: Unsupported certificate

which is a serious issue; I also use my smartcard as a SSH key and this
usage is also broken.  There used to be a UI to edit the startup
applications but this seems to have been removed.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnome-keyring depends on:
ii  dbus-x11                                     1.8.6-2
ii  dconf-gsettings-backend [gsettings-backend]  0.20.0-2
ii  gcr                                          3.12.2-1
ii  libc6                                        2.19-10
ii  libcap-ng0                                   0.7.4-2
ii  libcap2-bin                                  1:2.24-4
ii  libdbus-1-3                                  1.8.6-2
ii  libgck-1-0                                   3.12.2-1
ii  libgcr-base-3-1                              3.12.2-1
ii  libgcrypt11                                  1.5.4-2
ii  libglib2.0-0                                 2.40.0-5
ii  libgtk-3-0                                   3.12.2-3+b1
ii  p11-kit                                      0.20.3-2

Versions of packages gnome-keyring recommends:
ii  libpam-gnome-keyring  3.12.2-1

gnome-keyring suggests no packages.

-- no debconf information

Message #10 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@luon.net>

To: Mark Brown <broonie@debian.org>, 760102@bugs.debian.org

Subject: Re: Bug#760102: gnome-keyring: Breaks gpg-agent with no UI to disable

Date: Tue, 02 Sep 2014 09:31:30 +0200

On Sun, 2014-08-31 at 19:47 +0100, Mark Brown wrote:
> Package: gnome-keyring
> Version: 3.12.2-1
> Severity: important
> 
> Since a recent upgrade (sorry, not 100% clear when this happened but I
> do update fairly frequently) gnome-keyring has started providing a GnuPG
> agent.  This is breaking my usage of my system as gnome-keyring does not
> appear to support GnuPG smartcards as gpg-agent does and my day to day
> work is heavily dependent on being able to use one.  For example signing
> e-mail causes this:
> 
> | gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
> | gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
> | gpg: selecting openpgp failed: Unsupported certificate
> | gpg: signing failed: Unsupported certificate
> | gpg: signing failed: Unsupported certificate
> 
> which is a serious issue; I also use my smartcard as a SSH key and this
> usage is also broken.  There used to be a UI to edit the startup
> applications but this seems to have been removed.

gnome-session-properties is indeed gone. You can still configure this by
hand by removing the relevant startup application
from /etc/xdg/autostart. See /usr/share/doc/gnome-keyring/README.Debian
for more information.

-- 
Sjoerd Simons <sjoerd@luon.net>

Message #15 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Sjoerd Simons <sjoerd@luon.net>

Cc: 760102@bugs.debian.org

Subject: Re: Bug#760102: gnome-keyring: Breaks gpg-agent with no UI to disable

Date: Tue, 2 Sep 2014 11:42:28 +0100

[Message part 1 (text/plain, inline)]

On Tue, Sep 02, 2014 at 09:31:30AM +0200, Sjoerd Simons wrote:
> On Sun, 2014-08-31 at 19:47 +0100, Mark Brown wrote:

> > which is a serious issue; I also use my smartcard as a SSH key and this
> > usage is also broken.  There used to be a UI to edit the startup
> > applications but this seems to have been removed.

> gnome-session-properties is indeed gone. You can still configure this by
> hand by removing the relevant startup application
> from /etc/xdg/autostart. See /usr/share/doc/gnome-keyring/README.Debian
> for more information.

This is in fact how I resolved the issue locally but it is not great for
multi-user systems or systems where the same user account is shared
between many systems; in general having to edit files in /etc in order
to get desktop environment functionality working doesn't seem like a
good situation.  The balance between what's being provided and the
difficulty in disabling it doesn't seem right; perhaps Debian ought to
be defaulting to gpg-agent instead (I'm not sure if there's anything in
GNOME that depends on keyring providing this functionality).

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Simon Josefsson <simon@josefsson.org>

To: 760102@bugs.debian.org

Subject: Re: Re: Bug#760102: gnome-keyring: Breaks gpg-agent with no UI to disable

Date: Fri, 2 Jan 2015 21:55:19 +0100

FWIW, you don't have to modify files in /etc to achieve the workaround,
it is sufficient to do:

jas@latte:~$ mkdir ~/.config/autostart
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-gpg.desktop 
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop 

See http://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/
for more info, including a reference to this bug#.

/Simon

Message #25 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian GnuPG packaging <pkg-gnupg-maint@lists.alioth.debian.org>, 787045@bugs.debian.org, 753163@bugs.debian.org, 760102@bugs.debian.org

Subject: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Thu, 28 May 2015 01:37:44 -0400

[Message part 1 (text/plain, inline)]

hey debian gnupg folks--

I've uploaded gnupg2 2.0.27-2 to unstable.  This brings unstable closer
to upstream (most of debian/patches is removed), and includes some
debian-specific attempts to address some problems that might be relevant
for a wider userbase.

The most important changes included in 2.0.27-2 that i'd like people to
look at are:

https://anonscm.debian.org/cgit/pkg-gnupg/gnupg2.git/commit/?id=154d606ed022cee8ef1b86183f6a444d198a8a39

   This proposes a workaround for GNOME keyring hijacking gpg-agent,
   including shipping /usr/bin/gnome-keyring-unhijack-gpg-agent as an
   interim measure, and suggesting its use if a hijack is detected.
   (#760102 and #753163)

https://anonscm.debian.org/cgit/pkg-gnupg/gnupg2.git/commit/?id=be070c6017fede8dbd3549c0071e3f0ac44bebcd

   This imports NIIBE's upstream fix to not choke on repeated copies of
   unknown key material (#787045)

If folks can take a look at these changes and let me know what you think
about them, that would be great.

In particular, i want to consider the two changes above for a stable
point release, so if you see any concerns about either of them, please
say something.

      --dkg

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org

Subject: Re: Bug#760102: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Thu, 28 May 2015 09:11:55 +0200

Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: 
   This proposes a workaround for GNOME keyring hijacking gpg-agent,
   including shipping /usr/bin/gnome-keyring-unhijack-gpg-agent as an
   interim measure, and suggesting its use if a hijack is detected.
   (#760102 and #753163)

How about fixing unstable instead of backporting what amounts to a RC
bug to jessie? 

-- 
Joss

Message #35 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Josselin Mouette <joss@debian.org>, 760102@bugs.debian.org

Subject: Re: Bug#760102: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Thu, 28 May 2015 09:05:33 -0400

[Message part 1 (text/plain, inline)]

On Thu 2015-05-28 03:11:55 -0400, Josselin Mouette wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: 
>    This proposes a workaround for GNOME keyring hijacking gpg-agent,
>    including shipping /usr/bin/gnome-keyring-unhijack-gpg-agent as an
>    interim measure, and suggesting its use if a hijack is detected.
>    (#760102 and #753163)
>
> How about fixing unstable instead of backporting what amounts to a RC
> bug to jessie? 

Josselin, which RC bug are you suggesting that i'm about to backport to
jessie?  I'm not proposing to set --use-standard-socket by default in
jessie, if that's what you're worried about.

gnome-keyring currently fails to support at least the following features
which GnuPG's gpg-agent handles:

 * S/MIME signing/decryption
 * smartcards
 * passphrases held in locked memory
 * updated s2k counts based on hardware capability.

(see: http://wiki.gnupg.org/GnomeKeyring)

So gpg will have degraded functionality if it relies on gnome-keyring as
the gpg-agent.  To avoid these problems, upstream detects whether the
agent appears to be provided by GNOME and complains about the hijacking
if it is (this check is already in jessie, fwiw, but the user has no
straightforward way of dealing with it because GNOME provides no
user-friendly mechanism to disable just this part of gnome-keyring).

If gpg is talking to gpg-agent in a graphical session, though, it needs
a graphical pinentry to be able to prompt the user.  So by default,
gnupg-agent Depends: on a disjunction of pinentry options, with
pinentry-gtk2 being highest-priority. The sensible fix for this is for
gpg-agent to Depend: on pinentry-curses alone (many fewer dependencies),
and for the graphical session to Depend: on a matching pinentry (see
https://bugs.debian.org/765406), but this concern has not been acted on
within the teams who work on desktop metapackages.

Additionally, the GnuPG packaging team has had numerous complaints about
gpg-agent's default dependency on pinentry-gtk2, because this ends up
pulling in a significant number of X11-related packages on otherwise
headless systems (see https://bugs.debian.org/753163 for one of the more
recent ones).

This is a nasty thicket of subtle interlocking bugs, and surely there's
enough blame to go around.  But i'd like to find a way to fix it, and
the proposal that is in 2.0.27-2 is my best shot so far (it would be
even better if the desktop tasks would recommend a matching pinentry).

I welcome other proposals for how to improve as many of these particular
debian use cases as possible:

 a) the default minimal package set for headless machines where admins
    might want to run mutt should not pull in any X11 libraries

 b) the ability to use gnupg with full gpg-agent functionality on
    systems running GNOME

 c) the ability to use gnome-keyring's passphrase-caching safely with
    gpg-agent

pinentry upstream (the GnuPG upstream team) is working on a
pinentry-gnome3 that should address (c) as well, but it's not even
released yet, and it seems quite unlikely that we'll get that into a
jessie point release.

So how else can we try to address any of the above problems in jessie?

Regards,

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org

Subject: Re: Bug#760102: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Thu, 28 May 2015 16:35:28 +0200

Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
        Josselin, which RC bug are you suggesting that i'm about to
        backport to
        jessie? I'm not proposing to set --use-standard-socket by
        default in
        jessie, if that's what you're worried about.

Yes, this is what I was worried about. Thanks for your explanations.
Sorry for jumping in too fast with the “RC bug” wording, which was not
mandated given what you have in mind - I guess the breakage in unstable
did make me nervous.

I’m not really sure your solution is worth deploying to jessie this way,
though. Maybe a few words in the release notes would be enough.

Talking about unstable:

         c) the ability to use gnome-keyring's passphrase-caching safely with
            gpg-agent
        
        pinentry upstream (the GnuPG upstream team) is working on a
        pinentry-gnome3 that should address (c) as well, but it's not even
        released yet, and it seems quite unlikely that we'll get that into a
        jessie point release.

If gnome-keyring upstream agrees (I don’t know why they wouldn’t, but I
haven’t looked at the architecture in detail), it looks like the
long-term solution. But so far it isn’t there. It would be much
appreciated if you could at least revert the --use-standard-socket
change until this new pinentry has been uploaded to unstable and
properly integrated in reverse dependencies wherever needed. 

Cheers,
-- 
Joss

Message #45 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Josselin Mouette <joss@debian.org>, 760102@bugs.debian.org

Subject: Re: Bug#760102: gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Thu, 28 May 2015 13:30:46 -0400

On Thu 2015-05-28 10:35:28 -0400, Josselin Mouette wrote:
> Yes, this is what I was worried about. Thanks for your explanations.
> Sorry for jumping in too fast with the “RC bug” wording, which was not
> mandated given what you have in mind - I guess the breakage in unstable
> did make me nervous.

What breakage are you seeing in unstable?  the 2.1.x series is still
only in experimental, so --use-standard-socket isn't happening in
unstable... yet ;)

> I’m not really sure your solution is worth deploying to jessie this way,
> though. Maybe a few words in the release notes would be enough.

What words would you suggest?  Maybe something like this:

    If you run a headless system, we recommend that you install
    pinentry-curses before upgrading to jessie.  This will satisfy
    gpg-agent's pinentry dependencies, and will avoid pulling in
    graphical libraries and toolkits on upgrade.

    If you run GNOME and use GnuPG with smartcards, S/MIME, or want
    stronger security protection for your GnuPG secret material, you may
    want to disable GNOME keyring's gpg-agent interface.  You can do
    this by modifying files in /etc/xdg/autostart.  See
    /usr/share/doc/gnome-keyring/README.Debian for more information.



But this all really sounds like something we're supposed to have taken
care of as a distro.  For example, by making sure that packages like
GnuPG by default pull in only minimal dependencies; and ensuring that
graphical environments (desktop tasks) recommend the use of a matching
pinentry for those users who use GnuPG and already have all the
graphical toolkits installed; and making sure that gnome-keyring doesn't
degrade the functionality or security of other software like GnuPG.

These are the kind of system integraton tasks that a distro should be
taking care of, and we (myself included) have been failing at it in this
case.  Users shouldn't have to read paragraphs like the proposed text
above, their tools should Just Work :/

> If gnome-keyring upstream agrees (I don’t know why they wouldn’t, but I
> haven’t looked at the architecture in detail), it looks like the
> long-term solution. But so far it isn’t there. It would be much
> appreciated if you could at least revert the --use-standard-socket
> change until this new pinentry has been uploaded to unstable and
> properly integrated in reverse dependencies wherever needed. 

I've prodded upstream about making a pinentry release including
pinentry-gnome3.  Hopefully it'll happen in the next few days, and then
i'll send it through NEW.

I don't think reverting the --use-standard-socket change is going to
happen, that's a rather far-reaching change and upstream is pretty
committed to it -- it provides a nice simplification for all code
running in the common (non-remote-$HOME) case.

You mention "breaking remote $HOME" -- that's the main concern i had
with the change as well, but maybe we should open that as a separate bug
report, specify exactly what the scope of the breakage is, and try to
find some solutions for it that are palatable to upstream.

Regards,

     --dkg

Message #50 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: Debian GnuPG packaging <pkg-gnupg-maint@lists.alioth.debian.org>

Cc: 787045@bugs.debian.org, 753163@bugs.debian.org, 760102@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Fri, 29 May 2015 14:39:32 -0400

[Message part 1 (text/plain, inline)]

* Daniel Kahn Gillmor (dkg@fifthhorseman.net) wrote:
> hey debian gnupg folks--
> 
> I've uploaded gnupg2 2.0.27-2 to unstable.  This brings unstable closer
> to upstream (most of debian/patches is removed), and includes some
> debian-specific attempts to address some problems that might be relevant
> for a wider userbase.
> 
> The most important changes included in 2.0.27-2 that i'd like people to
> look at are:
> 
> https://anonscm.debian.org/cgit/pkg-gnupg/gnupg2.git/commit/?id=154d606ed022cee8ef1b86183f6a444d198a8a39
> 
>    This proposes a workaround for GNOME keyring hijacking gpg-agent,
>    including shipping /usr/bin/gnome-keyring-unhijack-gpg-agent as an
>    interim measure, and suggesting its use if a hijack is detected.
>    (#760102 and #753163)
> 
> https://anonscm.debian.org/cgit/pkg-gnupg/gnupg2.git/commit/?id=be070c6017fede8dbd3549c0071e3f0ac44bebcd
> 
>    This imports NIIBE's upstream fix to not choke on repeated copies of
>    unknown key material (#787045)
> 
> If folks can take a look at these changes and let me know what you think
> about them, that would be great.
> 
> In particular, i want to consider the two changes above for a stable
> point release, so if you see any concerns about either of them, please
> say something.

Both seem reasonable for inclusion, particularly the second
one. Should we have a NEWS.Debian entry to explain the issues with
gnome-keyring and the existence of this script as well?

-- 
Eric Dorland <eric@kuroneko.ca>
43CF 1228 F726 FD5B 474C  E962 C256 FBD5 0022 1E93

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Raphaël Halimi <raphael.halimi@gmail.com>

To: Debian GnuPG packaging <pkg-gnupg-maint@lists.alioth.debian.org>, 787045@bugs.debian.org, 753163@bugs.debian.org, 760102@bugs.debian.org

Subject: Re: Bug#753163: [pkg-gnupg-maint] gnupg 2.0.27 in debian unstable, with some fixes that we might want to consider for jessie

Date: Wed, 3 Jun 2015 15:22:24 +0200

[Message part 1 (text/plain, inline)]

Le 29/05/2015 20:39, Eric Dorland a écrit :
>> In particular, i want to consider the two changes above for a stable
>> point release, so if you see any concerns about either of them, please
>> say something.
> 
> Both seem reasonable for inclusion, particularly the second
> one. Should we have a NEWS.Debian entry to explain the issues with
> gnome-keyring and the existence of this script as well?

If you decide to include a NEWS.Debian entry, it may be a good idea to
suggest the removal of useless packages on headless servers (from memory
when I stumbled on this bug, "apt-get remove --purge pinentry-gtk2 &&
apt-get autoremove --purge" should do the trick).

Regards,

-- 
Raphaël Halimi

[signature.asc (application/pgp-signature, attachment)]

Message #62 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: "Neal H. Walfield" <neal@walfield.org>

Cc: Stef Walter <stefw@gnome.org>, gnupg-devel@gnupg.org, 760102@bugs.debian.org

Subject: Re: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 00:20:07 -0400

Control: retitle 760102 gnome-keyring: please build with --disable-gpg-agent
Control: block 760102 with 787786

On Thu 2015-06-04 22:30:21 -0400, Neal H. Walfield wrote:
> At Thu, 04 Jun 2015 22:14:25 -0400, Daniel Kahn Gillmor wrote:

>> >> >   - An update to Gnome-Keyring that disables it GPG Agent proxy.
>> >> 
>> >> Maybe we need to offer them a patch.  the goal here is just to disable
>> >> gnome-keyring's gpg-agent proxy implementation by default, right?
>> >
>> > That's correct.  It should be sufficient to configure gnome keyring
>> > with --disable-gpg-agent (but I haven't tested this).
>> 
>> that would make it so that users who wanted to use gnome-keyring as the
>> gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
>> who otherwise ignore the concerns Werner has raised about
>> gnome-keyring's incomplete gpg-agent support) would be unable to do so.
>> 
>> It's a more invasive change than just disabling the functionality as per
>> runtime defaults.
>> 
>> Then again, that might keep us from dealing with a lot of extra bug
>> reports :)
>
> I spoke with Stef (the maintainer of GNOME Keyring, cc'ed) and he
> agrees that removing the proxy is the correct way forward.
>
> The only reason that the proxy exists is to cache passwords.
> pinentry-gnome3 does exactly that in a cleaner way.  In other words:
> it makes the proxy completely redundant.
>
> A GSoC student is working on finishing the changes to GNOME Keyring
> and pinentry-gnome3 (e.g., extending GCR to deal with all of GnuPG's
> prompts).  Nevertheless, the current pinentry version already more
> complete than the proxy.

Great, this sounds like a good assessment.

I'm forwarding this info to https://bugs.debian.org/760102, which is
already asking for some resolution of this situation.

If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
able to build with --disable-gpg-agent.

Thanks for your work on this, all the coordination.

Regards,

        --dkg

Message #71 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 06:36:04 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 06:20 schrieb Daniel Kahn Gillmor:
> If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
> able to build with --disable-gpg-agent.

I just installed pinentry-gnome3 to give it a try, but apparently it
needs further configuration to be used by gnome-keyring.
Can you explain, how?

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #76 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Michael Biebl <biebl@debian.org>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 02:16:57 -0400

On Fri 2015-06-05 00:36:04 -0400, Michael Biebl wrote:
> Am 05.06.2015 um 06:20 schrieb Daniel Kahn Gillmor:
>> If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
>> able to build with --disable-gpg-agent.
>
> I just installed pinentry-gnome3 to give it a try, but apparently it
> needs further configuration to be used by gnome-keyring.
> Can you explain, how?

You need to:

 * disable gnome-keyring's gpg-agent mechanism (either by rebuilding
gnome-keyring with --disable-gpg-agent or by fiddling with
/etc/xdg/autostart/gnome-keyring-gpg.desktop) , and

 * make sure the gnupg-agent package is installed, and that gpg-agent is
running in your session (usually started by
/etc/X11/Xsession.d/90gpg-agent for gpg-agent < 2.1, or automatically
when needed for gpg2 and gpg-agent >= 2.1)

Then any gpg or gpg2 process that wants to talk to the gpg-agent will
find it.  when gpg-agent wants a passphrase, it will invoke pinentry,
which should now be provided by pinentry-gnome3.  this uses gcr for
prompting, and uses libsecret to (optionally) store passphrases with
gnome-keyring.

make sense?  does this work for you?  please let me know if you're
having any trouble with it, i'm happy to help.

       --dkg

Message #81 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 08:39:55 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 08:16 schrieb Daniel Kahn Gillmor:
> make sense?  does this work for you?  please let me know if you're
> having any trouble with it, i'm happy to help.

Seems to work ok for unlocking the keys. Haven't tried the "Save in
password manager" option yet, though.

That said, the package doesn't ship any translations apparently, and the
leading '_" in _Save, _OK and _Cancel look there is something broken
with i18n.
I think before we consider switching to pinentry-gnome3, this should be
fixed and the package should provide a basic set of translations, at
least for the more popular languages.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[pinentry-gnome3.png (image/png, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #86 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Michael Biebl <biebl@debian.org>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 03:06:12 -0400

On Fri 2015-06-05 02:39:55 -0400, Michael Biebl wrote:
> That said, the package doesn't ship any translations apparently, and the
> leading '_" in _Save, _OK and _Cancel look there is something broken
> with i18n.

The "_OK" and "_Cancel" work fine in gcr under xfce4, as noted here:

 http://thread.gmane.org/gmane.comp.encryption.gpg.devel/20133/focus=20139

("_Save" is still broken on xfce4's gcr prompter, though).  So I think
the issue is with gcr on gnome3, not with pinentry.

It looks to me like gcr_prompt_set_choice_label() doesn't support
prefixed-underscore accelerator keys the way
gcr_prompt_set_continue_label() and gcr_prompt_set_cancel_label() does
on xfce4's gcr.

Shall I open a bug in gcr about this?

> I think before we consider switching to pinentry-gnome3, this should be
> fixed and the package should provide a basic set of translations, at
> least for the more popular languages.

The translations of those strings actually ship in gpg-agent's source
(gnupg2), which already has translations for most of the strings.  The
only new string in all of this is "Save in password manager", and gnupg
has plausible translations for de at least there.

(cs, da, jp, fr, nl, pl, ru, sv, uk, and zh_TW appear to have
fuzzy-mapped "Save in password manager" to the "Cancel" string, which is
probably a pretty bad outcome; i agree that part should be fixed)

          --dkg

Message #91 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <email@michaelbiebl.de>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 09:07:22 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 08:39 schrieb Michael Biebl:
> Am 05.06.2015 um 08:16 schrieb Daniel Kahn Gillmor:
>> make sense?  does this work for you?  please let me know if you're
>> having any trouble with it, i'm happy to help.
> 
> Seems to work ok for unlocking the keys. Haven't tried the "Save in
> password manager" option yet, though.

Daniel, on a related note, is it possible that gpg2 much slower then the
older gpg v1?
It often happens here that Thunderbird (using enigmail) hangs for 30secs
and I have a gpg2 process at 100% CPU. I never saw that behaviour with
gpg v1.




-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #96 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 09:14:51 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 09:06 schrieb Daniel Kahn Gillmor:
> It looks to me like gcr_prompt_set_choice_label() doesn't support
> prefixed-underscore accelerator keys the way
> gcr_prompt_set_continue_label() and gcr_prompt_set_cancel_label() does
> on xfce4's gcr.
> 
> Shall I open a bug in gcr about this?

I'm not too familiar with this code and how this is supposed to work, so
I honestly don't know.

> The translations of those strings actually ship in gpg-agent's source
> (gnupg2), which already has translations for most of the strings.  The
> only new string in all of this is "Save in password manager", and gnupg
> has plausible translations for de at least there.
> 
> (cs, da, jp, fr, nl, pl, ru, sv, uk, and zh_TW appear to have
> fuzzy-mapped "Save in password manager" to the "Cancel" string, which is
> probably a pretty bad outcome; i agree that part should be fixed)

Nod, thanks for the info.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #101 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Werner Koch <wk@gnupg.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: Michael Biebl <biebl@debian.org>, 760102@bugs.debian.org, "Neal H. Walfield" <neal@walfield.org>, gnupg-devel@gnupg.org, Stef Walter <stefw@gnome.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 10:52:36 +0200

On Fri,  5 Jun 2015 09:06, dkg@fifthhorseman.net said:

> (cs, da, jp, fr, nl, pl, ru, sv, uk, and zh_TW appear to have
> fuzzy-mapped "Save in password manager" to the "Cancel" string, which is
> probably a pretty bad outcome; i agree that part should be fixed)

fuzzy marked entries are not used by gettest.  Thus this is only a
missing translation.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Message #106 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Stef Walter <stefw@gnome.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "Neal H. Walfield" <neal@walfield.org>

Cc: gnupg-devel@gnupg.org, 760102@bugs.debian.org, Watson Sato <yuuma.sato@gmail.com>

Subject: Re: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 15:37:26 +0200

On 05.06.2015 06:20, Daniel Kahn Gillmor wrote:
> Control: retitle 760102 gnome-keyring: please build with --disable-gpg-agent
> Control: block 760102 with 787786
> 
> On Thu 2015-06-04 22:30:21 -0400, Neal H. Walfield wrote:
>> At Thu, 04 Jun 2015 22:14:25 -0400, Daniel Kahn Gillmor wrote:
> 
>>>>>>   - An update to Gnome-Keyring that disables it GPG Agent proxy.
>>>>>
>>>>> Maybe we need to offer them a patch.  the goal here is just to disable
>>>>> gnome-keyring's gpg-agent proxy implementation by default, right?
>>>>
>>>> That's correct.  It should be sufficient to configure gnome keyring
>>>> with --disable-gpg-agent (but I haven't tested this).
>>>
>>> that would make it so that users who wanted to use gnome-keyring as the
>>> gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
>>> who otherwise ignore the concerns Werner has raised about
>>> gnome-keyring's incomplete gpg-agent support) would be unable to do so.
>>>
>>> It's a more invasive change than just disabling the functionality as per
>>> runtime defaults.
>>>
>>> Then again, that might keep us from dealing with a lot of extra bug
>>> reports :)
>>
>> I spoke with Stef (the maintainer of GNOME Keyring, cc'ed) and he
>> agrees that removing the proxy is the correct way forward.
>>
>> The only reason that the proxy exists is to cache passwords.
>> pinentry-gnome3 does exactly that in a cleaner way.  In other words:
>> it makes the proxy completely redundant.
>>
>> A GSoC student is working on finishing the changes to GNOME Keyring
>> and pinentry-gnome3 (e.g., extending GCR to deal with all of GnuPG's
>> prompts).  Nevertheless, the current pinentry version already more
>> complete than the proxy.
> 
> Great, this sounds like a good assessment.
> 
> I'm forwarding this info to https://bugs.debian.org/760102, which is
> already asking for some resolution of this situation.
> 
> If gnome-keyring can Depend: pinentry-gnome3 (#787786), it should be
> able to build with --disable-gpg-agent.
> 
> Thanks for your work on this, all the coordination.

Great work, Neal.

Confirming that I'll be ready to remove the code once the new pinentry
makes it into a release. Removing code always makes me smile :)

/me guesses there will be a few pieces to pick up. eg: figuring out how
to enable the new pinentry by default when running in GNOME. But it's
early in the GNOME 3.17 6 month release cycle and we can work that out
after removal of the agent.

Stef

Message #111 received at 760102@bugs.debian.org (full text, mbox, reply):

From: "Neal H. Walfield" <neal@walfield.org>

To: Stef Walter <stefw@gnome.org>

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, gnupg-devel@gnupg.org, 760102@bugs.debian.org, Watson Sato <yuuma.sato@gmail.com>

Subject: Re: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 15:55:22 +0200

Hi Stef,

At Fri, 05 Jun 2015 15:37:26 +0200,
Stef Walter wrote:
> Confirming that I'll be ready to remove the code once the new pinentry
> makes it into a release. Removing code always makes me smile :)

A new pinentry with the code has already been released (0.9.3).

:) Neal

Message #116 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: "Neal H. Walfield" <neal@walfield.org>, 760102@bugs.debian.org, Stef Walter <stefw@gnome.org>

Cc: gnupg-devel@gnupg.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Watson Sato <yuuma.sato@gmail.com>, Josselin Mouette <joss@debian.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 19:04:47 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 15:55 schrieb Neal H. Walfield:
> Hi Stef,
> 
> At Fri, 05 Jun 2015 15:37:26 +0200,
> Stef Walter wrote:
>> Confirming that I'll be ready to remove the code once the new pinentry
>> makes it into a release. Removing code always makes me smile :)
> 
> A new pinentry with the code has already been released (0.9.3).

Just to be clear here: this new pinentry-gnome3 and gnupg-agent, do they
both work with either gnupg and gnupg2?

@Joss: related to that, I notice, that you added a versioned dependency
on gnupg (>= 1.4.7) to the seahorse package in 2008.
Is this still valid today? Or should we either drop that dependency or
replace it with something like Depends: gnupg2 | gnupg (>= 1.4.7)

I have no strong preference which one we pick as default, as long as it
works properly. So I'd leave the judgement to those more familiar with
the advantages/disadvantags of gnupg vs gnupg2

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #121 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Michael Biebl <biebl@debian.org>, "Neal H. Walfield" <neal@walfield.org>, 760102@bugs.debian.org, Stef Walter <stefw@gnome.org>

Cc: gnupg-devel@gnupg.org, Watson Sato <yuuma.sato@gmail.com>, Josselin Mouette <joss@debian.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 13:19:45 -0400

On Fri 2015-06-05 13:04:47 -0400, Michael Biebl wrote:
> Just to be clear here: this new pinentry-gnome3 and gnupg-agent, do they
> both work with either gnupg and gnupg2?

Yes, they both work with either gnupg or gnupg2.

> @Joss: related to that, I notice, that you added a versioned dependency
> on gnupg (>= 1.4.7) to the seahorse package in 2008.
> Is this still valid today? Or should we either drop that dependency or
> replace it with something like Depends: gnupg2 | gnupg (>= 1.4.7)
>
> I have no strong preference which one we pick as default, as long as it
> works properly. So I'd leave the judgement to those more familiar with
> the advantages/disadvantags of gnupg vs gnupg2

seahorse links to libgpgme11, which itself depends on gnupg2 (this is
the preferred backend for GnuPG upstream).

Given that 1.4.7 is older than oldoldstable, you ought to be able to
drop the explicit gnupg dependency entirely from seahorse, iiuc.

     --dkg

Message #126 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "Neal H. Walfield" <neal@walfield.org>, 760102@bugs.debian.org, Stef Walter <stefw@gnome.org>

Cc: gnupg-devel@gnupg.org, Watson Sato <yuuma.sato@gmail.com>, Josselin Mouette <joss@debian.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 19:25:42 +0200

[Message part 1 (text/plain, inline)]

Am 05.06.2015 um 19:19 schrieb Daniel Kahn Gillmor:
> Given that 1.4.7 is older than oldoldstable, you ought to be able to
> drop the explicit gnupg dependency entirely from seahorse, iiuc.

Well, assuming that seahorse does work properly with gnupg2.
That's basically my question.
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #131 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Werner Koch <wk@gnupg.org>

To: "Neal H. Walfield" <neal@walfield.org>

Cc: Stef Walter <stefw@gnome.org>, gnupg-devel@gnupg.org, 760102@bugs.debian.org, Watson Sato <yuuma.sato@gmail.com>

Subject: Re: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 20:52:12 +0200

On Fri,  5 Jun 2015 15:55, neal@walfield.org said:

> A new pinentry with the code has already been released (0.9.3).

but you better get 0.9.4.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Message #136 received at 760102@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Michael Biebl <biebl@debian.org>, "Neal H. Walfield" <neal@walfield.org>, 760102@bugs.debian.org, Stef Walter <stefw@gnome.org>

Cc: gnupg-devel@gnupg.org, Watson Sato <yuuma.sato@gmail.com>, Josselin Mouette <joss@debian.org>

Subject: Re: Bug#760102: gnome keyring & gpg agent

Date: Fri, 05 Jun 2015 14:57:40 -0400

[Message part 1 (text/plain, inline)]

Control: clone 760102 -1
Control: reassign -1 seahorse
Control: tags -1 + patch
Control: retitle -1 build seahorse compatible with gpg2

On Fri 2015-06-05 13:25:42 -0400, Michael Biebl wrote:
> Am 05.06.2015 um 19:19 schrieb Daniel Kahn Gillmor:
>> Given that 1.4.7 is older than oldoldstable, you ought to be able to
>> drop the explicit gnupg dependency entirely from seahorse, iiuc.
>
> Well, assuming that seahorse does work properly with gnupg2.
> That's basically my question.

The seahorse source code seems to actually behave completely differently
depending on whether it is built with modern versions of any branch
(meaning: gpg >= 1.4.10, or gpg2 >= 2.0.12) versus older versions.  (see
pgp/seahorse-gpgme-key-op.h).  :(

This is not great engineering practice, because the version built
against isn't guaranteed to match the version that's running.

That said, even oldoldstable builds and runs "modern versions" by this
metric.

I just tested seahorse on a minimal-ish unstable gnome install, where i
did "dpkg --force-depend --purge gnupg".

Unfortunately, it looks like seahorse embeds the string "gpg" in it, so
it's looking for /usr/bin/gpg.

Running seahorse in this configuration produces lots of errors of this
form:

   operation-Message: couldn't initialize gnupg properly: Invalid crypto engine

The attached patch should resolve things for future versions of
seahorse, though, both on build-time detection and on runtime
flexibility.

(the attached patch touches both ./configure.ac and ./configure -- since
the package appears to be doing autoreconf, maybe the modifications to
./configure are unnecessary)

The only failures i'm now running into with seahorse like this are
failures due to gcr_importer hard-coding paths to gpg as well, so those
are bugs i'll file separately..

Regards,

        --dkg

[0001-avoid-deps-on-a-certain-version-of-gpg.patch (text/x-diff, inline)]

From 62f40108a1145016d128afe2fa40e20caa2d9d77 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 5 Jun 2015 14:24:29 -0400
Subject: [PATCH] avoid deps on a certain version of gpg

---
 debian/changelog                   |  7 +++++
 debian/control                     |  3 +--
 debian/control.in                  |  3 +--
 debian/patches/series              |  1 +
 debian/patches/use-any-gnupg.patch | 55 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+), 4 deletions(-)
 create mode 100644 debian/patches/use-any-gnupg.patch

diff --git a/debian/changelog b/debian/changelog
index 190c57a..6e09d82 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+seahorse (3.16.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * avoid explicit dependencies on certain versions of gpg.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 05 Jun 2015 14:23:46 -0400
+
 seahorse (3.16.0-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index 5a64f68..6c399ec 100644
--- a/debian/control
+++ b/debian/control
@@ -36,8 +36,7 @@ Architecture: any
 Depends: ${misc:Depends},
          ${shlibs:Depends},
          gcr (>= 3.4),
-         gnome-keyring (>= 3.4),
-         gnupg (>= 1.4.7)
+         gnome-keyring (>= 3.4)
 Recommends: openssh-client
 Description: GNOME front end for GnuPG
  Seahorse is a front end for GnuPG - the GNU Privacy Guard program -
diff --git a/debian/control.in b/debian/control.in
index 1431884..2ee9734 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -32,8 +32,7 @@ Architecture: any
 Depends: ${misc:Depends},
          ${shlibs:Depends},
          gcr (>= 3.4),
-         gnome-keyring (>= 3.4),
-         gnupg (>= 1.4.7)
+         gnome-keyring (>= 3.4)
 Recommends: openssh-client
 Description: GNOME front end for GnuPG
  Seahorse is a front end for GnuPG - the GNU Privacy Guard program -
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..c3b0125 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1 @@
+use-any-gnupg.patch
diff --git a/debian/patches/use-any-gnupg.patch b/debian/patches/use-any-gnupg.patch
new file mode 100644
index 0000000..f64aa22
--- /dev/null
+++ b/debian/patches/use-any-gnupg.patch
@@ -0,0 +1,55 @@
+Description: Use any version of GnuPG
+Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+
+--- seahorse-3.16.0.orig/configure
++++ seahorse-3.16.0/configure
+@@ -2531,7 +2531,7 @@ GCR_REQUIRED=3.11.91
+ GTK_REQ=3.4.0
+ GTK_MAX=GTK_VERSION_3_4
+ 
+-GNUPG_ACCEPTED="1.2 1.4 2.0"
++GNUPG_ACCEPTED="1.2 1.4 2.0 2.1"
+ GPGME_REQUIRED=1.0.0
+ LIBSECRET_REQUIRED=0.16
+ AVAHI_GLIB_REQUIRED=0.6
+@@ -8569,7 +8569,7 @@ fi
+ 
+ 
+ 	if test	"$DO_CHECK" = "yes"; then
+-		for ac_prog in gpg gpg2
++		for ac_prog in gpg2 gpg
+ do
+   # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+--- seahorse-3.16.0.orig/configure.ac
++++ seahorse-3.16.0/configure.ac
+@@ -9,7 +9,7 @@ GCR_REQUIRED=3.11.91
+ GTK_REQ=3.4.0
+ GTK_MAX=GTK_VERSION_3_4
+ 
+-GNUPG_ACCEPTED="1.2 1.4 2.0"
++GNUPG_ACCEPTED="1.2 1.4 2.0 2.1"
+ GPGME_REQUIRED=1.0.0
+ LIBSECRET_REQUIRED=0.16
+ AVAHI_GLIB_REQUIRED=0.6
+@@ -130,7 +130,7 @@ else
+ 		DO_CHECK=$enableval, DO_CHECK=yes)
+ 	
+ 	if test	"$DO_CHECK" = "yes"; then
+-		AC_PATH_PROGS(GNUPG, [gpg gpg2], no)
++		AC_PATH_PROGS(GNUPG, [gpg2 gpg], no)
+ 		AC_DEFINE_UNQUOTED(GNUPG, "$GNUPG", [Path to gpg executable.])
+ 		ok="no"
+ 		if test "$GNUPG" != "no"; then
+--- seahorse-3.16.0.orig/pgp/seahorse-pgp-backend.c
++++ seahorse-3.16.0/pgp/seahorse-pgp-backend.c
+@@ -311,7 +311,7 @@ seahorse_pgp_backend_initialize (void)
+ 
+ 	g_return_if_fail (pgp_backend != NULL);
+ 
+-	gpgme_set_engine_info (GPGME_PROTOCOL_OpenPGP, GNUPG, NULL);
++	gpgme_set_engine_info (GPGME_PROTOCOL_OpenPGP, NULL, NULL);
+ }
+ 
+ SeahorseGpgmeKeyring *
-- 
2.1.4

[signature.asc (application/pgp-signature, inline)]

Message #145 received at 760102-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 760102-close@bugs.debian.org

Subject: Bug#760102: fixed in gnome-keyring 3.16.0-3

Date: Thu, 02 Jul 2015 01:48:58 +0000

Source: gnome-keyring
Source-Version: 3.16.0-3

We believe that the bug you reported is fixed in the latest version of
gnome-keyring, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 760102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated gnome-keyring package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Jul 2015 03:34:29 +0200
Source: gnome-keyring
Binary: gnome-keyring libpam-gnome-keyring
Architecture: source amd64
Version: 3.16.0-3
Distribution: unstable
Urgency: medium
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 gnome-keyring - GNOME keyring services (daemon and tools)
 libpam-gnome-keyring - PAM module to unlock the GNOME keyring upon login
Closes: 760102 787786
Changes:
 gnome-keyring (3.16.0-3) unstable; urgency=medium
 .
   * Drop obsolete Breaks from pre-wheezy.
   * Disable gpg agent as it is incomplete and incompatible with many uses of
     GnuPG 2.x. (Closes: #760102).
   * Depend on pinentry-gnome3 instead to provide the system modal dialogs.
     (Closes: #787786)
   * Remove obsolete /etc/xdg/autostart/gnome-keyring-gpg.desktop on upgrades.
Checksums-Sha1:
 b2a739d0049dd1ccfb32ed5e42b0efc1b4005100 2662 gnome-keyring_3.16.0-3.dsc
 abd13a791ab9751696d55b2142b548004b5d006a 15216 gnome-keyring_3.16.0-3.debian.tar.xz
 9a10bd96cedb73447efa9c27f8908af64a94b444 974572 gnome-keyring_3.16.0-3_amd64.deb
 24f432bd9af12c03049efa97722b6849f886f941 296468 libpam-gnome-keyring_3.16.0-3_amd64.deb
Checksums-Sha256:
 400c851f7d45e1e21b38704fab10b463c84a770268c719a60431c4489cc389b4 2662 gnome-keyring_3.16.0-3.dsc
 c16337962ef91b438681a8aa88954b7d80c9e14551879a5c33043b616a922f58 15216 gnome-keyring_3.16.0-3.debian.tar.xz
 041a7e0863c78e5a5bd4e38518432aace0401f8f7c6c71be27fbefe334de3281 974572 gnome-keyring_3.16.0-3_amd64.deb
 6b652946726f85deb786133a9768d83e741587b44e6b9e0d06d9f83f7b0552b0 296468 libpam-gnome-keyring_3.16.0-3_amd64.deb
Files:
 c0a7ab6b6ee1f859d9d20253a58bc980 2662 gnome optional gnome-keyring_3.16.0-3.dsc
 96d2162832abfd77b264884baf8dceb5 15216 gnome optional gnome-keyring_3.16.0-3.debian.tar.xz
 1261cdab466bcc3099e050897b1a5ecf 974572 gnome optional gnome-keyring_3.16.0-3_amd64.deb
 975f5ce8d99ad31b17a1698542f2ceb8 296468 admin optional libpam-gnome-keyring_3.16.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVlJZJAAoJEGrh3w1gjyLcw2wP/0EL5UZfCq0WyFN6iqlQijB8
Ph3vDcdQkA1YeBKGwQbIf/Dk/fwLJzQJvRZHiWF403yeGN0nKAeN68N0eh/iNtL5
uRxvHHAd9r1wPQF0whYPlhiumBrp1Vd7oULP2tPxiyr4tEztjorYy5PgfPYmKyZ7
kTF26L7sczriRR0cFtYX9l+4PJ1yuuSITNPS82PjDUlrYgS+cM4KpFjjqDSk4LHf
R7uEaBWtjWilpWyZOqt+6i5XM64T/8f0j3exuNAOzALNm0kbb2uvrQa5nYcikpZU
zI7OFCtZUyVxbzp3e2+jflb2XOpm5wAtPsuvrZPtlYyr8UoGP470Y+toJmL67Jdu
TCWw41icJYUbqq9DKTnEZgsxblkYNerA+ziUN074tJYWTt7hi7TpZApmPuL7iV8g
3pqyaCDfvoVNxBmIwNwddulHw7AokRqS4xMSXuMYbc+OloqpDtPBILDy+BYG9cX9
bxR7w1TG/oQS4D2RFp8rMEicR8EMA4faUP6+QGDy4dWyAs3EdIGP6uTn1tY43SzG
hC3yV8Jq5NwOpBbTinFywuYHL9mkG2DInZ1F1bEcleWcIodfa1EhPAu3wo66kE6o
1pdIov5qcsv3wYrSh2mI9GaJw6rS6HnQ6dzXMwahNgVJCTes9uYVv4McgnJBsjQm
EFM/zNlA6M25QizSo/EA
=Mp3s
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.