#623539 Takes over GPG and SSH agents from gnupg-agent and ssh-agent

Package:
gnome-keyring
Source:
gnome-keyring
Description:
GNOME keyring services (daemon and tools)
Submitter:
Josh Triplett
Date:
2021-09-23 02:45:02 UTC
Severity:
normal
Blocked By:
Bug Title
773304

  0

gnome-keyring: fails to support openpgp smartcard (SCD SERIALNO openpgp: 103 unknown command)

normal stable testing unstable almost 9 years ago

#623539#3
Date:
2011-04-21 01:34:07 UTC
From:
To:
Since upgrading to gnome-keyring 3, gnome-keyring has taken over
$GPG_AGENT_INFO, breaking gnupg-agent.  Please check if the session
already has a GPG agent, and if so please don't take over.

Also, please document how to disable the GPG agent entirely, to
complement the existing documentation on how to disable the SSH agent.

Thanks,
Josh Triplett

#623539#8
Date:
2011-04-21 18:03:17 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gnome-keyring, which is due to be installed in the Debian FTP archive:

gnome-keyring_3.0.0-3.debian.tar.gz
  to main/g/gnome-keyring/gnome-keyring_3.0.0-3.debian.tar.gz
gnome-keyring_3.0.0-3.dsc
  to main/g/gnome-keyring/gnome-keyring_3.0.0-3.dsc
gnome-keyring_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/gnome-keyring_3.0.0-3_amd64.deb
libgck-dev_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/libgck-dev_3.0.0-3_amd64.deb
libgck0_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/libgck0_3.0.0-3_amd64.deb
libgcr-3-0_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/libgcr-3-0_3.0.0-3_amd64.deb
libgcr-3-dev_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/libgcr-3-dev_3.0.0-3_amd64.deb
libpam-gnome-keyring_3.0.0-3_amd64.deb
  to main/g/gnome-keyring/libpam-gnome-keyring_3.0.0-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 623539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated gnome-keyring package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
Format: 1.8
Date: Thu, 21 Apr 2011 19:36:47 +0200
Source: gnome-keyring
Binary: gnome-keyring libgck-dev libgck0 libpam-gnome-keyring libgcr-3-dev libgcr-3-0
Architecture: source amd64
Version: 3.0.0-3
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description:
 gnome-keyring - GNOME keyring services (daemon and tools)
 libgck-dev - GLib wrapper library for PKCS#11 - development
 libgck0    - Glib wrapper library for PKCS#11 - runtime
 libgcr-3-0 - Library for Crypto UI related task - runtime
 libgcr-3-dev - Library for Crypto UI related task - development
 libpam-gnome-keyring - PAM module to unlock the GNOME keyring upon login
Closes: 622875 623335 623539
Changes:
 gnome-keyring (3.0.0-3) unstable; urgency=low
 .
   [ Josselin Mouette ]
   * Break libgnome-keyring < 3.0.
   * Fail gracefully when capabilities are not supported.
     Closes: #622875, #623335.
   * Break seahorse-plugins < 3.0, since it takes over the GPG
     functionality.
   * README.Debian: document how to disable gnome-keyring components.
     Closes: #623539.
Checksums-Sha1:
 5c4c0c4eee482ae98bbf41c53b0967e78bff0867 1859 gnome-keyring_3.0.0-3.dsc
 fd0c3048ad75e35813d456de562a4c6505c97d37 18438 gnome-keyring_3.0.0-3.debian.tar.gz
 66eec083073f86468fef672263d15739803ba25e 2047510 gnome-keyring_3.0.0-3_amd64.deb
 f03dce5c8ec855c99fb717020bf6512c6d3798de 289608 libgck-dev_3.0.0-3_amd64.deb
 cbc6695ee8693ed5f15476ec43c8213435eeee10 213382 libgck0_3.0.0-3_amd64.deb
 a279eb9cab4c782c136c6f371c1f058f77889fa6 174114 libpam-gnome-keyring_3.0.0-3_amd64.deb
 38652d03fbe7d76e689ad32b458f592d4aeb784a 376206 libgcr-3-dev_3.0.0-3_amd64.deb
 5f364a6680f24eaa3db6a4e38a55a0c7bd32a721 297924 libgcr-3-0_3.0.0-3_amd64.deb
Checksums-Sha256:
 a43f4a683327b874cfe49ffd56b7fc37fa03ecd94c473ece1f1e4a2234193921 1859 gnome-keyring_3.0.0-3.dsc
 c603e2934bad615d60befa88791cdac3f0e444a48a21d0542630ffbcd46b29eb 18438 gnome-keyring_3.0.0-3.debian.tar.gz
 c4a437bf956b854776277af574bf4263d677ea9c07648654f6fc78b217e673ea 2047510 gnome-keyring_3.0.0-3_amd64.deb
 ca500b46fd29d72e6a65aa6c0b2a397ee5741f3b7fa4d870d0b90684ccd82de0 289608 libgck-dev_3.0.0-3_amd64.deb
 1718e5e7a516099efeab9e38c6da5e54633d9440840895ecdba936c79124246b 213382 libgck0_3.0.0-3_amd64.deb
 07f8fba7305032daa63bca8a6e389c893fed1346b14b09b08a0506d0ca62db8e 174114 libpam-gnome-keyring_3.0.0-3_amd64.deb
 bf990d5a9eeecfdf7f8b7a04a97d2c5da8bf216f8be767a2b6d4e0dcc064e2c5 376206 libgcr-3-dev_3.0.0-3_amd64.deb
 69282ea2f46ae60774ef8a02e5b61594aed2381a1c2834ad2f264fcb717ea788 297924 libgcr-3-0_3.0.0-3_amd64.deb
Files:
 77cebf20db684f327d6f6f78561a9e3c 1859 gnome optional gnome-keyring_3.0.0-3.dsc
 3b13ec2db45a1cc6e208af1c697343db 18438 gnome optional gnome-keyring_3.0.0-3.debian.tar.gz
 e3faae773932f0ceccb837ac01354a27 2047510 gnome optional gnome-keyring_3.0.0-3_amd64.deb
 f122cd15c73cb8e5afbe941088efacea 289608 libdevel optional libgck-dev_3.0.0-3_amd64.deb
 ac41db4caf26feb4eff72e68ac6cb6ac 213382 libs optional libgck0_3.0.0-3_amd64.deb
 800eafd37fb252bc715e46b7c25bf80e 174114 admin optional libpam-gnome-keyring_3.0.0-3_amd64.deb
 c54ce932fb1bf249a67c8277f3d55664 376206 libdevel optional libgcr-3-dev_3.0.0-3_amd64.deb
 ef2f8fd2f7b35dbc76fc490d7d9310a7 297924 libs optional libgcr-3-0_3.0.0-3_amd64.deb
iEYEARECAAYFAk2wb8cACgkQJYSUupF6Il4b5gCfQn2pU4LBCYNUsv/1Im3tl/id
jIoAn0CILbkkKvMm48+7nd7Vq1zevvnH
=5Hhb
-----END PGP SIGNATURE-----

#623539#13
Date:
2011-04-23 00:02:45 UTC
From:
To:
reopen 623539
retitle 623539 Takes over GPG and SSH agents from gnupg-agent and ssh-agent
thanks

Thank you for adding documentation on how to manually disable
gnome-keyring's SSH and GPG agents.  (I just ran into the SSH agent
today; apparently gnome-keyring now ignores the previous
/apps/gnome-keyring/daemon-components/ssh gconf key.)  However, this
only fixes half of the reported bug.

I have libpam-ssh installed and configured.  libpam-ssh starts an
ssh-agent with my SSH key automatically unlocked via my login password.
gnome-keyring ignores the configured SSH agent, and starts one of its
own.  Similarly, gnome-keyring ignores my configured gpg-agent, and
starts a GPG agent of its own.  Please check if the session already has
a running GPG agent, and only run the corresponding gnome-keyring agent
if not present.  That way, if the user has gpg-agent or libpam-ssh or
similar installed, it will Just Work; if not, gnome-keyring can handle
that functionality.

- Josh Triplett

#623539#22
Date:
2011-08-03 17:26:46 UTC
From:
To:
Hello:

At the very end og the README.Debian document,
it is sugested to edit /etc/xdg/autostart/gnome-keyring-*.desktop configuration
in view to disable the keyring system wide:
of course, I can edit it, but I am stuck because I do not know how to modify it properly:
this part of the story is lacking in the README.Debian document.

hth,
Jerome

#623539#27
Date:
2015-04-14 08:55:29 UTC
From:
To:
Hi,

I know that it is quite late for the Jessie release but while chatting
with Neal on Sunday he remarked that he recently installed Jessie with
XFCE and had to patch GKR to make GnuPG work.  Thus the meanwhile well
known problems with 2.1 and GKR do not only affect GNOME but also XFCE.
This is quite bad for future GnuPG 2.1 adaption.  But it gets worse:

The common believe is that for GnuPG 2.0 the effect of GKR hijacking the
gpg/gpg-agent IPC is that only gpgsm and smartcards won't work.  I
looked closer at possible problems and figured that if your run GKR it
will also weaken all passphrases used by gpg.  Since GnuPG 2.0.14, which
was release in 2009, we have this feature:

 * New and changed passphrases are now created with an iteration count
   requiring about 100ms of CPU work.

With GKR faking gpg-agent that does not work and the old default
iteration count is used.  For example on my X220 this leads to a 300
times lower iteration count (work factor) for OpenPGP passphrases.  I
have seen CVEs issued for less problematic security degrades.

Sure it is possible to manually configure a different S2K count but
gpg-agent allows to do that automatically because gpg-agent is a long
running process and can calibrate that value.

It seems the GKR author is willing to remove that hijacking only if we
provide a new Pinentry to support gnome-keyring.  Well, that can of
course be done but to me adding a new feature to GNOME has not top
priority.  Adding necessary features to GnuPG itself will of course be
done so to help writing a Gnome-Pinentry.

Even without a new Gnome-Pinentry it is important to stop the hijacking
of the gpg-agent IPC now.  GKR being able to store passphrases for
OpenPGP keys is merely a feature while inhibiting the use of gpgsm,
smartcards, and iteration count calibration are bugs.

Any chance to disable the gpg-agent component in GKR?

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623539
(Takes over GPG and SSH agents from gnupg-agent and ssh-agent)


Shalom-Salam,

   Werner

#623539#32
Date:
2015-04-14 10:14:01 UTC
From:
To:
Werner Koch <wk@gnupg.org> wrote:
        Even without a new Gnome-Pinentry it is important to stop the hijacking
        of the gpg-agent IPC now.  GKR being able to store passphrases for
        OpenPGP keys is merely a feature while inhibiting the use of gpgsm,
        smartcards, and iteration count calibration are bugs.

I’m pretty sure that gnome-keyring 3.14 in jessie supports smartcards
correctly.

As for iteration count calibration, this could probably patched in
gnome-keyring; at least in a Debian-specific patch, but there’s no way
upstream would be hostile to that.

As for gpgsm, I’d be wary of dropping features used by e.g. evolution to
support S/MIME before changing the default gnome-keyring configuration.

Cheers,

#623539#37
Date:
2015-04-14 11:53:11 UTC
From:
To:
On Tue, 14 Apr 2015 12:14, joss@debian.org said:

It is not about anything in gnome-keyring but about gnome-keyring
inhibiting gpg to to use smartcards, gpgsm and so on.  GKR has certain
components which replace existing services.  One of these components
replaces gpg-agent - or better said it mimics a small part of gpg-agent
(the "GET_PASSPHRASE" command).  Due to this "hijacking" of the real
gpg-agent (part of GnuPG) large parts of GnuPG do not work on systems
using gnome-keyring.

This was just an example.  The interface between gpg and gpg-agent
belongs to GnuPG and most parts are not published.  Or to say it in
other words: There is no defined interface.  Keep hands off.

gnome-keyring MUST NOT pretend to be gpg-agent.  Or if it does this you
need to add

  Breaks: gnupg2

Do you want a patch to remove gpg-agent from GKR?

gpgsm won't work if GKR is used and GKR hijacks gpg-agent.


Shalom-Salam,

   Werner

#623539#42
Date:
2015-04-14 12:10:54 UTC
From:
To:
On Tue, 14 Apr 2015 13:53, wk@gnupg.org said:

The patch is too simple.  Just add

#623539#47
Date:
2015-04-14 12:38:12 UTC
From:
To:
Werner Koch <wk@gnupg.org> wrote:
        > Do you want a patch to remove gpg-agent from GKR?

        The patch is too simple.  Just add

#623539#52
Date:
2015-04-15 02:59:12 UTC
From:
To:
Hello,

I'd understand your position.  GnuPG maintainers and/or Debian team
for GnuPG should keep communicating GNOME developers for this issue.
We will.

On the other hand, shall we consider from viewpoint of Debian *users*?

I think that for Debian users, the gpg-agent feature of
gnome-keyring's is questionable since its implementation is immature
and causes troubles.

The only possible benefit with this feature for users would be
coherency for look&feel of dialog box in a desktop environment.

Downside is non-working OpenPGPcard (which is most popular in Debian
users than other distro users, I suppose), weaker S2K (which is pretty
important thing for Debian users), bad for gpgsm, and incompatibility
to GnuPG 2.1 private key handling.

It is unfortunate to force users into this dilemma between good
look&feel and good functionality/security.  This should be eventually
solved by upstreams.

I think that default should be good functionality/security than
look&feel.

It still make sense to offer a choice to users, but I think that the
default for Debian users is better to have

	OnlyShowIn=

in /etc/xdg/autostart/gnome-keyring-gpg.desktop by removing
"GNOME;Unity;MATE;".  I know, the origin of the file is from upstream
of gnome-keyring, but, I believe that it is better default for any
desktop environment for Debian users.

How about this default change in gnome-keyring in Debian?

#623539#57
Date:
2015-04-17 09:22:27 UTC
From:
To:
On Tue, 14 Apr 2015 14:38, joss@debian.org said:

Sorry, this is serious brokenness which is going on for years.  For the
records let me conclude:

Jessie will be released with a default GNOME and an optional XFCE
desktop featuring these bugs affecting GnuPG

  - S/MIME (gpgsm) does not work at all.

  - Smartcards for GPG won't work.

  - GnuPG's included ssh-agent can't be used.

  - The passphrase protection of GnuPG private keys has been reduced to
    a security level we had before 2010.

  - Brute forcing symmetric encrytion is as easy as before 2010.
    (~300 times faster on an i5-2410M, 2.3Ghz)

This has been justified by a better looking passphrase entry dialog for
GPG keys in GNOME's keyring-manager.


Salam-Shalom,

   Werner

#623539#62
Date:
2016-03-11 22:19:48 UTC
From:
To:
block 623539 by 773304
block 623539 by 760102
affects 623539 + gnupg-agent
affects 623539 + libpam-ssh
user luca.capello@infomaniak.com
usertag 623539 + infomaniak.com-authentication
thanks

Hi there!

At least the GnuPG part of this bug has been fixed:

- upstream[1][2][3] since gnome-keyring_3.17.4 together with
  pinentry_0.9.5 and gnupg_2.1.6

- in Debian[4] since gnome-keyring_3.16.0-3

[1] <https://bugs.debian.org/773304>
[2] <https://bugzilla.gnome.org/show_bug.cgi?id=644415#c10>
[3] <https://mail.gnome.org/archives/distributor-list/2015-August/msg00000.html>
[4] <https://bugs.debian.org/760102>

This means that the bug should already been fixed in stretch
(gnome-keyring_3.18.3-1, pinentry_0.9.7-5 and gnupg_2.1.11-6).

For jessie, you still need to avoid gnome-keyring-gpg and -ssh startup
as explained in the README.Debian, either with 'Hidden=true' as
explained on Simon Josefsson's blog[5] or, better, with (works on Ubuntu
14.04 as well, gnome-keyring_3.10.1-1ubuntu4):
=====
$ mkdir -p ~/.config/autostart
$ echo 'X-GNOME-Autostart-enabled=false' \
  | cat /etc/xdg/autostart/gnome-keyring-gpg.desktop - \
  >>~/.config/autostart/gnome-keyring-gpg.desktop
$ echo 'X-GNOME-Autostart-enabled=false' \
  | cat /etc/xdg/autostart/gnome-keyring-ssh.desktop - \
  >>~/.config/autostart/gnome-keyring-ssh.desktop
=====

[5] <https://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/>

Thx, bye,
Gismo / Luca

#623539#75
Date:
2016-10-09 10:40:18 UTC
From:
To:
Dear Customer,

We could not deliver your parcel.
Shipment Label is attached to this email.

Sincerely,
Jorge Kinney,
Sr. Support Manager.

#623539#80
Date:
2016-10-16 06:07:47 UTC
From:
To:
Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Please, download Delivery Label attached to this email.

Yours faithfully,
Karl Novak,
FedEx Support Manager.

#623539#85
Date:
2016-10-17 00:09:22 UTC
From:
To:
Dear Customer,

We could not deliver your parcel.
Please, download Delivery Label attached to this email.

Thank you for choosing FedEx,
Bryan Walton,
FedEx Operation Manager.

#623539#90
Date:
2016-10-29 12:56:31 UTC
From:
To:
Dear Customer,

We could not deliver your item.
You can review complete details of your order in the find attached.

Thanks and best regards,
Eric Landry,
Operation Manager.

#623539#95
Date:
2017-08-09 18:30:40 UTC
From:
To:
Dear all,

I came across this issue after an update of the 8 series (jessie) with
backports. Seems to be introduced there (or maybe it was already present
and popped back up, I vaguely remember something in the past).

Most annoying is that none of the proposed solutions work. I'm usign the
MATE desktop, and somehow, although I completely removed the
/etc/xdg/autostart/gnome-keyring-gpg.desktop and -ssh equivalent, also
in the ~/.config folder, even while adding the --disable-gpg-agent to
the remaining gnome-keyring files, gnome-keyring keeps interfering. And
stubbornly loads the gpg and ssh parts.


remaining entries have the end of the file now as follows:
-----
Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
--disable-gpg-agent
OnlyShowIn=GNOME;Unity;MATE;
X-GNOME-Autostart-Phase=Initialization
X-GNOME-AutoRestart=false
X-GNOME-Autostart-Notify=true
X-GNOME-Bugzilla-Bugzilla=GNOME
X-GNOME-Bugzilla-Product=gnome-keyring
X-GNOME-Bugzilla-Component=general
X-GNOME-Bugzilla-Version=3.14.0
-----

GnuPG v 2.0.26-6+deb8u
gnome-keyring 3.14.0-1+b1
pinentry-gtk2 0.9.7-5~bpo8+1

Although the help option of gnome-keyring-daemon shows that the gpg and
ssh parts are optional, they simply load during session start (gdm3 as
display manager). I could not find any other places where the
gnome-keyring-daemon is configured, any hints are welcome.
----- Solution (not very handy though): $ killall gnome-keyring-daemon after the gnome-keyring has been killed pinentry takes over in thunderbird + gnupg. Best regards, Tjeerd
#623539#100
Date:
2021-09-22 04:24:44 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com

#623539#105
Date:
2021-09-22 04:24:44 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com