Author Topic: GPG generation error during Easy Setup  (Read 267 times)

rowanthorpe

  • Newbie
  • *
  • Posts: 22
    • View Profile
GPG generation error during Easy Setup
« on: September 05, 2017, 12:01:45 pm »
When doing the Easy Setup option using confidant version 2.1, installed from .deb on a Debian Sid GNU/Linux system, the interface failed for me with:
Code: [Select]
Key generation failed: 'NoneType' object has no attribute 'lower'
so I reran it as:
Code: [Select]
confidantmail -debug
and it failed during Easy Setup again the same way, with the following terminal output:
Code: [Select]
Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/share/confidantmail/gnupg.py", line 779, in _read_response
    result.handle_status(keyword, value)
  File "/usr/share/confidantmail/gnupg.py", line 571, in handle_status
    raise ValueError("Unknown status message: %r" % key)
ValueError: Unknown status message: u'ERROR'
It seems GPG is giving an unknown status message "ERROR", and confidant tries to continue anyway, and causes a red-herring error-message when it tries to string-transform a None return-value.

The version of GPG I have installed (by apt, not custom) is 2.1.18-8. Let me know if you need more information.

EDIT: I looked again at the bash "install script" to ensure I hadn't missed any dependency during manual install - and I hadn't missed anything.
« Last Edit: September 05, 2017, 12:08:48 pm by rowanthorpe »

Mike

  • Administrator
  • Full Member
  • *****
  • Posts: 105
    • View Profile
Re: GPG generation error during Easy Setup
« Reply #1 on: September 05, 2017, 01:13:19 pm »
Does your GPG work from the command line? Do you get a graphical pinentry request? Which GUI and pinentry are you using? The normal reason for GPG to fail key generation is that it cannot bring up pinentry. If it tries to use the command-line pinentry within CM, it will generate that error.

rowanthorpe

  • Newbie
  • *
  • Posts: 22
    • View Profile
Re: GPG generation error during Easy Setup
« Reply #2 on: September 05, 2017, 04:30:26 pm »
Ah, that was the problem (thanks for the pointer). I only use gpg at the commandline, often in VTs (non-graphical environment), and have my gpg-agent configured to use pinentry-curses as default, but I presumed that as I was running confidantmail from a terminal it would let me use the launching terminal for pinentry. In hindsight that obviously isn't possible for the same security-reason gpg does the keygrabbing voodoo with the graphical pinentry modes, but as my main gpg-key pass is usually cached I forgot that with a newly generated key that wouldn't be the case. I reconfigured gpg-agent to not use curses and restarted it, and the "Easy Setup" completed.

It might be worth documenting that requirement somewhere (or improving the error-handling to alert the user about the requirement), as I suspect I'm not the only person having a look at the package after you posted the RFS at debian-devel mailing list, and probably others coming from there will be commandline-by-default types too :-D

I guess it should be possible (but involve non-trivial coding) to use gpg with --pinentry-mode loopback and to do pass-handling in the main app, but on the other hand I guess it instills a better sense of security if the user sees that all pinentry is done directly by gpg...

Mike

  • Administrator
  • Full Member
  • *****
  • Posts: 105
    • View Profile
Re: GPG generation error during Easy Setup
« Reply #3 on: September 11, 2017, 06:05:08 pm »
How would I go about detecting that? I could put up a "hey dummy" whenever someone starts up with gpg2 and invalid configuration. Is this just the symlink for pinentry? I.e. what did you change to make it work.

Gpg2 has been a large pain due to the way it handles passwords. I wish ECC was backported to gpg 1.4
« Last Edit: September 11, 2017, 07:01:18 pm by Mike »

rowanthorpe

  • Newbie
  • *
  • Posts: 22
    • View Profile
Re: GPG generation error during Easy Setup
« Reply #4 on: September 20, 2017, 06:32:07 pm »
How would I go about detecting that? I could put up a "hey dummy" whenever someone starts up with gpg2 and invalid configuration. Is this just the symlink for pinentry? I.e. what did you change to make it work.

Sorry, I didn't see your reply on this issue until now. The change I made was to comment out the following line:

Code: [Select]
pinentry-program /usr/bin/pinentry-curses
in my ~/.gnupg/gpg-agent.conf

Gpg2 has been a large pain due to the way it handles passwords. I wish ECC was backported to gpg 1.4

I had my share of banging my head against gpg2 a few years ago (when making a shellscript-tool for automating creation of super-strong keys following best-practises). Your predicament with the passphrase-entry reminded me that I had an extensively updated private-branch of that project, including with changes using gpg-preset-passhprase, --pinentry-mode loopback, etc. On the off-chance that any of it may prove useful, I just now pushed that branch to the "devel" branch on the github repo, with all the untested changes as a WIP commit, along with a big warning that that branch is only a work-in-progress, so may not even run (and is mainly useful for reading the code). Feel free to have a look at the gpg2 invocations/flags there, and also the comment about the gpgwrap manpage. Depending on your interest in paranoiac things, you may also find the memlockd stuff relevant.
« Last Edit: September 20, 2017, 06:34:59 pm by rowanthorpe »