gpg path of pinentry listed by nixos is not installed ...

[reyman]

Describe the bug

gpgconf indicate that pinentry is not installed, so it's not possible to encrypt or decrypt using gpg

To Reproduce
Steps to reproduce the behavior:

1 - My configuration.nix

       services.openssh.enable = true;        
       programs.ssh.startAgent = false;

        programs.gnupg.agent.pinentryFlavor = "curses";
        programs.gnupg.agent = { 
                enable = true; 
                enableSSHSupport = true; };

2- my .gnupg folder contain

gpg.conf

use-agent

empty gpg-agent.conf

3 - run

systemctl --user restart gpg-agent
gpgconf --reload gpg-agent

4 - see the process

[root@arkham:~/.gnupg]# ps aux | grep gpg-agent
 2285 root      0:00 /nix/store/76dkq6ahwc32amdbbypmfsdvjkh1ab82-gnupg-2.2.23/bin/gpg-agent --supervised --pinentry-program /nix/store/shw8mdjaiv0gbgzzv5sbnw2g0vjvpkg0-pinentry-1.1.0-curses/bin/pinentry

5 - see the problem (1)

[root@arkham:~/.gnupg]# gpgconf --check-programs
gpgconf: error running '/nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/pinentry': probably not installed
[root@arkham:~]# ls /nix/store/yvnd02rbdsin2waamh9kb94klipajbhi-gnupg-2.2.20/bin/
addgnupghome        gpg                 gpg2                gpgsm               watchgnupg
applygnupgdefaults  gpg-agent           gpgconf             gpgtar
dirmngr             gpg-connect-agent   gpgparsemail        gpgv
dirmngr-client      gpg-wks-server      gpgscm              kbxutil

6 - see the problem (2)

[root@arkham:~]# gpg -d -vvv test.txt.gpg 
gpg: using character set 'utf-8'
# off=0 ctb=8c tag=3 hlen=2 plen=13
:symkey enc packet: version 4, cipher 9, s2k 3, hash 2
	salt DFE34FFAF84E03FE, count 65011712 (255)
gpg: AES256 encrypted data
gpg: connection to agent is in restricted mode
gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.20)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with the agent: Forbidden
# off=15 ctb=d2 tag=18 hlen=2 plen=65 new-ctb
:encrypted data packet:
	length: 65
	mdc_method: 2
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key

I also try to install pinentry manualy, but that fail because PATH in catalog differs.

Expected behavior

Possibility to decrypt and encrypt using my smartcard/yubikey by calling gpg

Additional context

I'm trying to use Yubikey pgp on a remote ssh session

Notify maintainers
@flokli

Metadata

• system: "x86_64-linux"
• host os: Linux 5.4.62, NixOS, 20.09pre242769.61525137fd1 (Nightingale)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.7
• channels(root): "nixos-20.09pre242769.61525137fd1"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
  -programs.gnupg.agent

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/yubikey-smartcard-challenge-mode-usable-on-remote-ssh/8936/16

[meithecatte]

It seems like gpg-agent is ignoring the --pinentry-program option and using it's own default of trying to find pinentry relative to its own path.

[flokli]

Is this a recent regression, or when did you ran into this? Are you actually running the version of gpg-agent configured with that pinentry? (try `ps wwaux|grep gpg-agent`)

[meithecatte]

reyman mentioned on IRC that this is the first time they're trying to set this up.

[reyman]

@flokli Yes @NieDzejkob is right, this is the first time i try this thing, using unstable to get some recent patch for yubikey/ssh/luks things.

Perhaps problem of pinentry could be link to #95777 ?

I'm constating another thing strange, after some time i need to restart manually gpg-agent :
systemctl --user restart gpg-agent

[root@arkham:~]# ps wwaux|grep gpg-agent
 4124 root      0:00 grep gpg-agent

[root@arkham:~]# systemctl --user restart gpg-agent

[root@arkham:~]# ps wwaux|grep gpg-agent
 4131 root      0:00 /nix/store/76dkq6ahwc32amdbbypmfsdvjkh1ab82-gnupg-2.2.23/bin/gpg-agent --supervised --pinentry-program /nix/store/shw8mdjaiv0gbgzzv5sbnw2g0vjvpkg0-pinentry-1.1.0-curses/bin/pinentry

But i see another thing weird, it seems there is another gpg that run sometimes :

[root@arkham:~]# ps wwaux|grep gpg-agent
 4192 root      0:00 gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon

So there is some hook somewhere that start another gpg agent, i suppose this is linked to other issues on gpg like #92084 / #57779 / #72597 /

[bwolf]

Too bad that there still is no fix for that :-(

[bburdette]

Ugh, just ran into this today. A shame you have to google and rely on bug reports to get a workaround.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/yubikey-smartcard-challenge-mode-usable-on-remote-ssh/8936/20

[jasoncarr0]

I am getting gnupg from a nix-shell and ran into this. It previously worked fine but now gives me this error. I don't have any configuration in my nixos config for it

[reyman]

Right @jasoncarr0 @flokli , i had the same problem without any config for gpg-agent in my configuration.nix.
To reproduce, take a live cd :

• nix-env -iA nixos.gnupg
• nix-env -iA nixos.pinentry-curses
• nano ~/.gnupg/gpg-agent.conf, add pinentry-program /home/nixos/.nix-profile/bin/pinentry
• gpgconf --check-programs
• gpgconf --reload gpg-agent

Return pinentry:Passphrase Entry:/nix/store/przl7lwjkpfd3hml0rrmfq331jggn7db-gnupg-2.2.19/bin/pinentry:0:0:
which don't exist.

Another problem :
[nixos@nixos:~/.gnupg]$ ls -l ~/.nix-profile/bin/pinentry*
return

lrwxrwxrwx 1 root root 71 Jan  1  1970 /home/nixos/.nix-profile/bin/pinentry -> /nix/store/pahxcgryyrh4cj8yc6nq1537k5867021-pinentry-1.1.0/bin/pinentry

pinentry-curse don't exist, see #95777 ...

[flokli]

gnupg really doesn't like picking up pinentry from $PATH. See my comment from #90214 (comment).

So running nix-env -iA to "install" various pinentrys to your environment won't help, even if #65325 would be fixed.

We currently do start a gpg-agent in a user session, which is configured with an appropriate pinentry depending on your system configuration: #71095

There were some ideas on having a wrapper at ${gnupg}/bin/pinentry already some time ago (#72597 (comment)), which could pick up a pinentry from $PATH, but no-one has thought about the security implications, or stepped up to send a PR yet ;-)

[reyman]

Thanks @flokli for pointing me these remarks/issues.
I'm in case of running an install from nixos liveCD using remote SSH, where gpg-agent & pinentry seems not installed/configured to work without gui, what do you advice ? Creating a new livecd with gpg-agent correctly configured ? Or, last chance solution, push my decrypted password from local to remote as an script argument by ssh ...

[flokli]

I'm not very familiar with how the live cds currently look like, but both gnome3 and plasma5 environments should configure an appropriate pinentry flavour - so it might be just a matter of setting programs.gnupg.agent.enable in the graphical installer profile.

gnupg might already be in the closure anyways 🤷

[reyman]

@flokli Ok i understand that things seems to work using graphical way, but that don't solve the problem of "curses" flavor .. which don't work :-/

[flokli]

You mean, the minimal installer should include a gnupg with working pinentry?

[b12f]

Has anyone gotten gpg to work? I'm completely blocked, unable to encrypt/decrypt anything. An added problem is mentioned in nix-community/home-manager#887, where even if pinentry would work, the --homedir appears to break the existing gpg-agent that is found anyway, and it starts a new one in the --homedir directory. I can't imagine all of the nix community just working around this, am I doing something wrong?

[meithecatte]

gpg is working just fine for me. The only relevant settings in my config are:

  programs.gnupg.agent = {
    enable = true;
    pinentryFlavor = "curses";
  };

[b12f]

My setup:

      programs.gnupg = {
        agent.enable = true;
        agent.pinentryFlavor = "curses";
      };

Just changed from gnome3 as the flavor to curses, and did the following:

$ sudo nixos-rebuild switch --flake "/etc/nixos#installed-host" --upgrade-all
$ systemctl --user restart gpg-agent
$ gpgconf --reload gpg-agent
$ gpg --import pgp-private-keys.asc # some random encrypted private key
gpg: key 4406E80E13CD656C: "Benjamin Bädorf (gitea) <[email protected]>" not changed
gpg: key 4406E80E13CD656C/4406E80E13CD656C: error sending to agent: No pinentry
gpg: error building skey array: No pinentry
gpg: error reading 'pgp-private-keys.asc': No pinentry
gpg: import from 'pgp-private-keys.asc' failed: No pinentry
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

The gpg-agent seems to be fine:

ps -ef | grep gpg
ben           4464  2027 0 15:00:40 ?     00:00:00 gpg-agent --supervised --pinentry-program /nix/store/4gs2gfx54j5g4lkyza9lr272bkqrwxz1-pinentry-1.1.0-curses/bin/pinentry
ben           4734 16395 0 15:03:46 pts/3 00:00:00 grep gpg

[meithecatte]

Could you start `gpg-agent` manually, adding the `--verbose` option?

[b12f]

I think I found something:

$ systemctl --user status gpg-agent --no-pager -l
...
Mar 29 15:00:41 chocolatebar systemd[2027]: Started GnuPG cryptographic agent and passphrase cache.
Mar 29 15:00:41 chocolatebar gpg-agent[4464]: gpg-agent (GnuPG) 2.2.27 starting in supervised mode.
Mar 29 15:00:41 chocolatebar gpg-agent[4464]: using fd 3 for std socket (/run/user/1001/gnupg/S.gpg-agent)
Mar 29 15:00:41 chocolatebar gpg-agent[4464]: listening on: std=3 extra=-1 browser=-1 ssh=-1
Mar 29 15:00:43 chocolatebar gpg-agent[4464]: SIGHUP received - re-reading configuration and flushing cache
Mar 29 15:00:47 chocolatebar gpg-agent[4464]: can't connect to the PIN entry module '/nix/store/kzfhylbfxcil8il8arpzan6s4mmp6mpg-gnupg-2.2.27/bin/pinentry': IPC connect call failed
Mar 29 15:00:47 chocolatebar gpg-agent[4464]: command 'IMPORT_KEY' failed: No pinentry

So I arrived here: #73332 (comment)

And tried the gpg-connect-agent /bye, which seems to have done the trick for now.

--homedir still breaks though. If I want to export keys from an external store it starts a gpg-agent with --homedir set, but not --pinentry-program:

$ gpg --homedir . --export-secret-keys 4332E0D02B214D31376C366E4406E80E13CD656C
gpg: key BD9F87BF158EDEA293AB528F3AEE58969033FB87: error receiving key from agent: No pinentry - skipped
gpg: key 61FA198546C858E232071D1FA67B30973D9536CA: error receiving key from agent: No pinentry - skipped
gpg: WARNING: nothing exported
$ ps -ef | grep gpg
ben      13021  2027  0 15:16 ?        00:00:00 /nix/store/kzfhylbfxcil8il8arpzan6s4mmp6mpg-gnupg-2.2.27/bin/gpg-agent --supervised --pinentry-program /nix/store/v5a4psggkiwjlvssqikap54ag90q83lr-pinentry-1.1.0-gnome3/bin/pinentry
ben      13237     1  0 15:17 ?        00:00:00 gpg-agent --homedir /home/ben/Downloads/gnupg --use-standard-socket --daemon

[reyman]

I also have the same problem of gpg-agent duplication, problem of homedir. This happen at initrd stage but this is probably linked : #106563 (comment) :/
Seems gpg is sort of personnal nightmare...

[cideM]

I know nothing about gpg and only got here because I'm trying to use nix-sops to manage secrets for a deploy with deploy-rs but...

$ systemctl --user status gpg-agent --no-pager -l
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
     Loaded: loaded (/nix/store/afhs46mg5cn8ckf8hw5nf95kgg4sqbll-gnupg-2.2.27/share/systemd/user/gpg-agent.service; linked-runtime; vendor preset: enabled)
    Drop-In: /nix/store/8ypky0rm7kvvzzc2yvfb7v0w69b4v7nb-user-units/gpg-agent.service.d
             └─overrides.conf
     Active: active (running) since Tue 2021-04-27 23:44:08 CEST; 22s ago
TriggeredBy: ● gpg-agent.socket
             ● gpg-agent-ssh.socket
       Docs: man:gpg-agent(1)
   Main PID: 3012 (gpg-agent)
      Tasks: 1 (limit: 19136)
     Memory: 1.0M
        CPU: 13ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/gpg-agent.service
             └─3012 /nix/store/afhs46mg5cn8ckf8hw5nf95kgg4sqbll-gnupg-2.2.27/bin/gpg-agent --supervised --pinentry-program /nix/store/5lr2cryvgbmy0yw2hp6pg3d1162h6n31-pinentry-1.1.0-curses/bin/pinentry

Apr 27 23:44:08 nixos systemd[2505]: Started GnuPG cryptographic agent and passphrase cache.
Apr 27 23:44:08 nixos gpg-agent[3012]: gpg-agent (GnuPG) 2.2.27 starting in supervised mode.
Apr 27 23:44:08 nixos gpg-agent[3012]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Apr 27 23:44:08 nixos gpg-agent[3012]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Apr 27 23:44:08 nixos gpg-agent[3012]: listening on: std=3 extra=-1 browser=-1 ssh=4
Apr 27 23:44:25 nixos gpg-agent[3012]: failed to unprotect the secret key: Inappropriate ioctl for device
Apr 27 23:44:25 nixos gpg-agent[3012]: failed to read the secret key
Apr 27 23:44:25 nixos gpg-agent[3012]: command 'PKDECRYPT' failed: Inappropriate ioctl for device <Pinentry>

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryFlavor = "curses";
  };

:(

EDIT: Never mind, it's late and I need sleep now. The error message is different this time, and this error I can handle with

export GPG_TTY=$(tty)

Changing from gnome3 to curses therefore did the trick for me and solved the no pinentry issue

[hyperreal64]

Is there a fix or workaround for this yet that just hasn't been pushed to stable?

[shroomist]

unfortunately I ended here.
I do ssh into machine, the setup as follows:

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryFlavor = "curses";
  };

my error

gpg --decrypt file.tar.gz.gpg
gpg: AES.CFB encrypted data
gpg: problem with the agent: No pinentry
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key

[dpc]

I have a fully working NixOS + PGP + Yubikey setup, including ssh&gpg signing forwarding.

For the ones sent here from web search: gpg setup (especially using hardware keys) involves bunch of things: ssh/gpg agents, scdaemon, pscsd daemons, each with possible bugs, and sometimes not playing well with each other.

Other than the below described issue, I know for a fact that everything around this setup works perfectly with NixOS, but (just like with any other distro) it is somewhat fragile, and it's easy to accidentally break it and then might be hard to debug it.

The only wonky thing is that that I'm unable to completely address is that unless you specify the absolute path in ~/.gnupg/gpg-agent.conf's pinentry-progra <path> (like /run/current-system/sw/bin/pinentry-curses) which I can't because I share this config between non-NixOS machines, the only working on NixOS gpg-agent instance is the one that is starter by systemd (in user session):

> ps fax | grep agent
   4892 pts/0    S+     0:00  |       \_ /nix/store/qd9jxc0q00cr7fp30y6jbbww20gj33lg-gnugrep-3.7/bin/grep --color=auto agent
   4697 ?        SLs    0:00  \_ /nix/store/0v4206fp3s7bhvphy243mq4fsw2532kf-gnupg-2.3.6/bin/gpg-agent --supervised --pinentry-program /nix/store/4x1r1bb4wf6d92kqm83cp6iaz6sww2pz-pinentry-1.2.0-curses/bin/pinentry

As you can see - it works because it has the --pinentry-program provided so it can find pinentry.

If anything stops/kills this gpg-agent, any gpg invocation will start a new one, without that --pinentry-program argument and this agent will no longer be able to locate the pinentry binary to use. To fix it - kill that instance and run systemctl --user restart gpg-agent.service to use the systemd-provided version again.

My ssh forwarding setup needs to delete/override some sockets, and thus I have to keep fixing this after each time I connected via ssh with my NixOS desktop.

[philipwilk]

I've run into this bug on my pc and on my laptop, and the solution i ended up using is creating ~/.gnupg/gpg-agent.conf with the contents pinentry-program /etc/profiles/per-user/philip/bin/pinentry, where philip is my HOME folder, and I've got pinentry-gnome and gpg installed for my user in my nixfile.

[SuperSandro2000]

--homedir still breaks though. If I want to export keys from an external store it starts a gpg-agent with --homedir set, but not --pinentry-program:

You cannot set --homedir when you want to use pinentry. This is an upstream limitation and upstream does not want to fix that issue.

The standard usecase when using programs.gnupg and programs.gnupg.agent is working as expected and should work even better after the pinentry rework on the split package.