- Package:
- gnome-keyring
- Source:
- gnome-keyring
- Description:
- GNOME keyring services (daemon and tools)
- Submitter:
- Josh Triplett
- Date:
- 2021-09-23 02:45:02 UTC
- Severity:
- normal
- Blocked By:
-
Bug Title 773304 0
gnome-keyring: fails to support openpgp smartcard (SCD SERIALNO openpgp: 103 unknown command) normal stable testing unstable almost 9 years ago
Since upgrading to gnome-keyring 3, gnome-keyring has taken over $GPG_AGENT_INFO, breaking gnupg-agent. Please check if the session already has a GPG agent, and if so please don't take over. Also, please document how to disable the GPG agent entirely, to complement the existing documentation on how to disable the SSH agent. Thanks, Josh Triplett
We believe that the bug you reported is fixed in the latest version of
gnome-keyring, which is due to be installed in the Debian FTP archive:
gnome-keyring_3.0.0-3.debian.tar.gz
to main/g/gnome-keyring/gnome-keyring_3.0.0-3.debian.tar.gz
gnome-keyring_3.0.0-3.dsc
to main/g/gnome-keyring/gnome-keyring_3.0.0-3.dsc
gnome-keyring_3.0.0-3_amd64.deb
to main/g/gnome-keyring/gnome-keyring_3.0.0-3_amd64.deb
libgck-dev_3.0.0-3_amd64.deb
to main/g/gnome-keyring/libgck-dev_3.0.0-3_amd64.deb
libgck0_3.0.0-3_amd64.deb
to main/g/gnome-keyring/libgck0_3.0.0-3_amd64.deb
libgcr-3-0_3.0.0-3_amd64.deb
to main/g/gnome-keyring/libgcr-3-0_3.0.0-3_amd64.deb
libgcr-3-dev_3.0.0-3_amd64.deb
to main/g/gnome-keyring/libgcr-3-dev_3.0.0-3_amd64.deb
libpam-gnome-keyring_3.0.0-3_amd64.deb
to main/g/gnome-keyring/libpam-gnome-keyring_3.0.0-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 623539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated gnome-keyring package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
Format: 1.8
Date: Thu, 21 Apr 2011 19:36:47 +0200
Source: gnome-keyring
Binary: gnome-keyring libgck-dev libgck0 libpam-gnome-keyring libgcr-3-dev libgcr-3-0
Architecture: source amd64
Version: 3.0.0-3
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description:
gnome-keyring - GNOME keyring services (daemon and tools)
libgck-dev - GLib wrapper library for PKCS#11 - development
libgck0 - Glib wrapper library for PKCS#11 - runtime
libgcr-3-0 - Library for Crypto UI related task - runtime
libgcr-3-dev - Library for Crypto UI related task - development
libpam-gnome-keyring - PAM module to unlock the GNOME keyring upon login
Closes: 622875 623335 623539
Changes:
gnome-keyring (3.0.0-3) unstable; urgency=low
.
[ Josselin Mouette ]
* Break libgnome-keyring < 3.0.
* Fail gracefully when capabilities are not supported.
Closes: #622875, #623335.
* Break seahorse-plugins < 3.0, since it takes over the GPG
functionality.
* README.Debian: document how to disable gnome-keyring components.
Closes: #623539.
Checksums-Sha1:
5c4c0c4eee482ae98bbf41c53b0967e78bff0867 1859 gnome-keyring_3.0.0-3.dsc
fd0c3048ad75e35813d456de562a4c6505c97d37 18438 gnome-keyring_3.0.0-3.debian.tar.gz
66eec083073f86468fef672263d15739803ba25e 2047510 gnome-keyring_3.0.0-3_amd64.deb
f03dce5c8ec855c99fb717020bf6512c6d3798de 289608 libgck-dev_3.0.0-3_amd64.deb
cbc6695ee8693ed5f15476ec43c8213435eeee10 213382 libgck0_3.0.0-3_amd64.deb
a279eb9cab4c782c136c6f371c1f058f77889fa6 174114 libpam-gnome-keyring_3.0.0-3_amd64.deb
38652d03fbe7d76e689ad32b458f592d4aeb784a 376206 libgcr-3-dev_3.0.0-3_amd64.deb
5f364a6680f24eaa3db6a4e38a55a0c7bd32a721 297924 libgcr-3-0_3.0.0-3_amd64.deb
Checksums-Sha256:
a43f4a683327b874cfe49ffd56b7fc37fa03ecd94c473ece1f1e4a2234193921 1859 gnome-keyring_3.0.0-3.dsc
c603e2934bad615d60befa88791cdac3f0e444a48a21d0542630ffbcd46b29eb 18438 gnome-keyring_3.0.0-3.debian.tar.gz
c4a437bf956b854776277af574bf4263d677ea9c07648654f6fc78b217e673ea 2047510 gnome-keyring_3.0.0-3_amd64.deb
ca500b46fd29d72e6a65aa6c0b2a397ee5741f3b7fa4d870d0b90684ccd82de0 289608 libgck-dev_3.0.0-3_amd64.deb
1718e5e7a516099efeab9e38c6da5e54633d9440840895ecdba936c79124246b 213382 libgck0_3.0.0-3_amd64.deb
07f8fba7305032daa63bca8a6e389c893fed1346b14b09b08a0506d0ca62db8e 174114 libpam-gnome-keyring_3.0.0-3_amd64.deb
bf990d5a9eeecfdf7f8b7a04a97d2c5da8bf216f8be767a2b6d4e0dcc064e2c5 376206 libgcr-3-dev_3.0.0-3_amd64.deb
69282ea2f46ae60774ef8a02e5b61594aed2381a1c2834ad2f264fcb717ea788 297924 libgcr-3-0_3.0.0-3_amd64.deb
Files:
77cebf20db684f327d6f6f78561a9e3c 1859 gnome optional gnome-keyring_3.0.0-3.dsc
3b13ec2db45a1cc6e208af1c697343db 18438 gnome optional gnome-keyring_3.0.0-3.debian.tar.gz
e3faae773932f0ceccb837ac01354a27 2047510 gnome optional gnome-keyring_3.0.0-3_amd64.deb
f122cd15c73cb8e5afbe941088efacea 289608 libdevel optional libgck-dev_3.0.0-3_amd64.deb
ac41db4caf26feb4eff72e68ac6cb6ac 213382 libs optional libgck0_3.0.0-3_amd64.deb
800eafd37fb252bc715e46b7c25bf80e 174114 admin optional libpam-gnome-keyring_3.0.0-3_amd64.deb
c54ce932fb1bf249a67c8277f3d55664 376206 libdevel optional libgcr-3-dev_3.0.0-3_amd64.deb
ef2f8fd2f7b35dbc76fc490d7d9310a7 297924 libs optional libgcr-3-0_3.0.0-3_amd64.deb
iEYEARECAAYFAk2wb8cACgkQJYSUupF6Il4b5gCfQn2pU4LBCYNUsv/1Im3tl/id
jIoAn0CILbkkKvMm48+7nd7Vq1zevvnH
=5Hhb
-----END PGP SIGNATURE-----
reopen 623539 retitle 623539 Takes over GPG and SSH agents from gnupg-agent and ssh-agent thanks Thank you for adding documentation on how to manually disable gnome-keyring's SSH and GPG agents. (I just ran into the SSH agent today; apparently gnome-keyring now ignores the previous /apps/gnome-keyring/daemon-components/ssh gconf key.) However, this only fixes half of the reported bug. I have libpam-ssh installed and configured. libpam-ssh starts an ssh-agent with my SSH key automatically unlocked via my login password. gnome-keyring ignores the configured SSH agent, and starts one of its own. Similarly, gnome-keyring ignores my configured gpg-agent, and starts a GPG agent of its own. Please check if the session already has a running GPG agent, and only run the corresponding gnome-keyring agent if not present. That way, if the user has gpg-agent or libpam-ssh or similar installed, it will Just Work; if not, gnome-keyring can handle that functionality. - Josh Triplett
Hello: At the very end og the README.Debian document, it is sugested to edit /etc/xdg/autostart/gnome-keyring-*.desktop configuration in view to disable the keyring system wide: of course, I can edit it, but I am stuck because I do not know how to modify it properly: this part of the story is lacking in the README.Debian document. hth, Jerome
Hi, I know that it is quite late for the Jessie release but while chatting with Neal on Sunday he remarked that he recently installed Jessie with XFCE and had to patch GKR to make GnuPG work. Thus the meanwhile well known problems with 2.1 and GKR do not only affect GNOME but also XFCE. This is quite bad for future GnuPG 2.1 adaption. But it gets worse: The common believe is that for GnuPG 2.0 the effect of GKR hijacking the gpg/gpg-agent IPC is that only gpgsm and smartcards won't work. I looked closer at possible problems and figured that if your run GKR it will also weaken all passphrases used by gpg. Since GnuPG 2.0.14, which was release in 2009, we have this feature: * New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. With GKR faking gpg-agent that does not work and the old default iteration count is used. For example on my X220 this leads to a 300 times lower iteration count (work factor) for OpenPGP passphrases. I have seen CVEs issued for less problematic security degrades. Sure it is possible to manually configure a different S2K count but gpg-agent allows to do that automatically because gpg-agent is a long running process and can calibrate that value. It seems the GKR author is willing to remove that hijacking only if we provide a new Pinentry to support gnome-keyring. Well, that can of course be done but to me adding a new feature to GNOME has not top priority. Adding necessary features to GnuPG itself will of course be done so to help writing a Gnome-Pinentry. Even without a new Gnome-Pinentry it is important to stop the hijacking of the gpg-agent IPC now. GKR being able to store passphrases for OpenPGP keys is merely a feature while inhibiting the use of gpgsm, smartcards, and iteration count calibration are bugs. Any chance to disable the gpg-agent component in GKR? See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623539 (Takes over GPG and SSH agents from gnupg-agent and ssh-agent) Shalom-Salam, Werner
Werner Koch <wk@gnupg.org> wrote:
Even without a new Gnome-Pinentry it is important to stop the hijacking
of the gpg-agent IPC now. GKR being able to store passphrases for
OpenPGP keys is merely a feature while inhibiting the use of gpgsm,
smartcards, and iteration count calibration are bugs.
I’m pretty sure that gnome-keyring 3.14 in jessie supports smartcards
correctly.
As for iteration count calibration, this could probably patched in
gnome-keyring; at least in a Debian-specific patch, but there’s no way
upstream would be hostile to that.
As for gpgsm, I’d be wary of dropping features used by e.g. evolution to
support S/MIME before changing the default gnome-keyring configuration.
Cheers,
On Tue, 14 Apr 2015 12:14, joss@debian.org said: It is not about anything in gnome-keyring but about gnome-keyring inhibiting gpg to to use smartcards, gpgsm and so on. GKR has certain components which replace existing services. One of these components replaces gpg-agent - or better said it mimics a small part of gpg-agent (the "GET_PASSPHRASE" command). Due to this "hijacking" of the real gpg-agent (part of GnuPG) large parts of GnuPG do not work on systems using gnome-keyring. This was just an example. The interface between gpg and gpg-agent belongs to GnuPG and most parts are not published. Or to say it in other words: There is no defined interface. Keep hands off. gnome-keyring MUST NOT pretend to be gpg-agent. Or if it does this you need to add Breaks: gnupg2 Do you want a patch to remove gpg-agent from GKR? gpgsm won't work if GKR is used and GKR hijacks gpg-agent. Shalom-Salam, Werner
On Tue, 14 Apr 2015 13:53, wk@gnupg.org said: The patch is too simple. Just add
Werner Koch <wk@gnupg.org> wrote:
> Do you want a patch to remove gpg-agent from GKR?
The patch is too simple. Just add
Hello, I'd understand your position. GnuPG maintainers and/or Debian team for GnuPG should keep communicating GNOME developers for this issue. We will. On the other hand, shall we consider from viewpoint of Debian *users*? I think that for Debian users, the gpg-agent feature of gnome-keyring's is questionable since its implementation is immature and causes troubles. The only possible benefit with this feature for users would be coherency for look&feel of dialog box in a desktop environment. Downside is non-working OpenPGPcard (which is most popular in Debian users than other distro users, I suppose), weaker S2K (which is pretty important thing for Debian users), bad for gpgsm, and incompatibility to GnuPG 2.1 private key handling. It is unfortunate to force users into this dilemma between good look&feel and good functionality/security. This should be eventually solved by upstreams. I think that default should be good functionality/security than look&feel. It still make sense to offer a choice to users, but I think that the default for Debian users is better to have OnlyShowIn= in /etc/xdg/autostart/gnome-keyring-gpg.desktop by removing "GNOME;Unity;MATE;". I know, the origin of the file is from upstream of gnome-keyring, but, I believe that it is better default for any desktop environment for Debian users. How about this default change in gnome-keyring in Debian?
On Tue, 14 Apr 2015 14:38, joss@debian.org said:
Sorry, this is serious brokenness which is going on for years. For the
records let me conclude:
Jessie will be released with a default GNOME and an optional XFCE
desktop featuring these bugs affecting GnuPG
- S/MIME (gpgsm) does not work at all.
- Smartcards for GPG won't work.
- GnuPG's included ssh-agent can't be used.
- The passphrase protection of GnuPG private keys has been reduced to
a security level we had before 2010.
- Brute forcing symmetric encrytion is as easy as before 2010.
(~300 times faster on an i5-2410M, 2.3Ghz)
This has been justified by a better looking passphrase entry dialog for
GPG keys in GNOME's keyring-manager.
Salam-Shalom,
Werner
block 623539 by 773304 block 623539 by 760102 affects 623539 + gnupg-agent affects 623539 + libpam-ssh user luca.capello@infomaniak.com usertag 623539 + infomaniak.com-authentication thanks Hi there! At least the GnuPG part of this bug has been fixed: - upstream[1][2][3] since gnome-keyring_3.17.4 together with pinentry_0.9.5 and gnupg_2.1.6 - in Debian[4] since gnome-keyring_3.16.0-3 [1] <https://bugs.debian.org/773304> [2] <https://bugzilla.gnome.org/show_bug.cgi?id=644415#c10> [3] <https://mail.gnome.org/archives/distributor-list/2015-August/msg00000.html> [4] <https://bugs.debian.org/760102> This means that the bug should already been fixed in stretch (gnome-keyring_3.18.3-1, pinentry_0.9.7-5 and gnupg_2.1.11-6). For jessie, you still need to avoid gnome-keyring-gpg and -ssh startup as explained in the README.Debian, either with 'Hidden=true' as explained on Simon Josefsson's blog[5] or, better, with (works on Ubuntu 14.04 as well, gnome-keyring_3.10.1-1ubuntu4): ===== $ mkdir -p ~/.config/autostart $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-gpg.desktop - \ >>~/.config/autostart/gnome-keyring-gpg.desktop $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-ssh.desktop - \ >>~/.config/autostart/gnome-keyring-ssh.desktop ===== [5] <https://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/> Thx, bye, Gismo / Luca
Dear Customer, We could not deliver your parcel. Shipment Label is attached to this email. Sincerely, Jorge Kinney, Sr. Support Manager.
Dear Customer, This is to confirm that one or more of your parcels has been shipped. Please, download Delivery Label attached to this email. Yours faithfully, Karl Novak, FedEx Support Manager.
Dear Customer, We could not deliver your parcel. Please, download Delivery Label attached to this email. Thank you for choosing FedEx, Bryan Walton, FedEx Operation Manager.
Dear Customer, We could not deliver your item. You can review complete details of your order in the find attached. Thanks and best regards, Eric Landry, Operation Manager.
Dear all, I came across this issue after an update of the 8 series (jessie) with backports. Seems to be introduced there (or maybe it was already present and popped back up, I vaguely remember something in the past). Most annoying is that none of the proposed solutions work. I'm usign the MATE desktop, and somehow, although I completely removed the /etc/xdg/autostart/gnome-keyring-gpg.desktop and -ssh equivalent, also in the ~/.config folder, even while adding the --disable-gpg-agent to the remaining gnome-keyring files, gnome-keyring keeps interfering. And stubbornly loads the gpg and ssh parts. remaining entries have the end of the file now as follows: ----- Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets --disable-gpg-agent OnlyShowIn=GNOME;Unity;MATE; X-GNOME-Autostart-Phase=Initialization X-GNOME-AutoRestart=false X-GNOME-Autostart-Notify=true X-GNOME-Bugzilla-Bugzilla=GNOME X-GNOME-Bugzilla-Product=gnome-keyring X-GNOME-Bugzilla-Component=general X-GNOME-Bugzilla-Version=3.14.0 ----- GnuPG v 2.0.26-6+deb8u gnome-keyring 3.14.0-1+b1 pinentry-gtk2 0.9.7-5~bpo8+1 Although the help option of gnome-keyring-daemon shows that the gpg and ssh parts are optional, they simply load during session start (gdm3 as display manager). I could not find any other places where the gnome-keyring-daemon is configured, any hints are welcome.----- Solution (not very handy though): $ killall gnome-keyring-daemon after the gnome-keyring has been killed pinentry takes over in thunderbird + gnupg. Best regards, Tjeerd
Hello, Good morning, We have gone through your samples from a partner and Here is our Order List. Please do bear in mind that we are very much in need of this order, quote your competitive prices. Kindly send the Order confirmation. Your early reply will be much appreciated. Best Regards, Maryanah Erwin. PT FINDORA INTERNUSA Jln Pahlawan 66 Kec. Arjawinangun 45162 CIREBON West-Java INDONESIA tel : +62 231 357334 fax: +62 231 357260 email: marketing@findora.com
Hello, Good morning, We have gone through your samples from a partner and Here is our Order List. Please do bear in mind that we are very much in need of this order, quote your competitive prices. Kindly send the Order confirmation. Your early reply will be much appreciated. Best Regards, Maryanah Erwin. PT FINDORA INTERNUSA Jln Pahlawan 66 Kec. Arjawinangun 45162 CIREBON West-Java INDONESIA tel : +62 231 357334 fax: +62 231 357260 email: marketing@findora.com