[arch-general] Problem with GPG Access Rules
Hello, i have a problem with my access rules on my ~/.gnupg folder. The reason is that i can't sign any e-mails . the warning message was that the access rules to the folder are too open but which rights are correct? i have looked in the folder and my rights looks like this drwxr-xr-x 3 joerg users 4,0K 12. Okt 12:57 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw-r--r-- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw-r--r-- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg is this correct for gpg / Kleopatra? the translated output was Detailed error message: Output from gpg2: gpg: WARNING: Insecure access rights of the home directory `/home/joerg/.gnupg ' gpg: write after '-' gpg: pinentry launched (5745 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device Many thanks for helpers
On Mon, 2020-10-12 at 13:08 +0200, Jörg Jellissen wrote: Hello, i have a problem with my access rules on my ~/.gnupg folder. The reason is that i can't sign any e-mails . the warning message was that the access rules to the folder are too open but which rights are correct? i have looked in the folder and my rights looks like this drwxr-xr-x 3 joerg users 4,0K 12. Okt 12:57 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw-r--r-- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw-r--r-- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg is this correct for gpg / Kleopatra? the translated output was Detailed error message: Output from gpg2: gpg: WARNING: Insecure access rights of the home directory `/home/joerg/.gnupg ' gpg: write after '-' gpg: pinentry launched (5745 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device Many thanks for helpers Seems like there is an issue with the pinentry binary. It does not seem to be compatible with your system. IOCTL are a way to interface with the kernel, they export extra "functions" in file descriptors that you can call. Your system does not support whatever the pinentry is trying to use. You can use strace to try to figure you exactly what is wrong with your pinentry. I'd recommend to open an issue in the upstream to see if they could implement things in an alternative that does not require use of the problematic IOCTL. Cheers, Filipe Laíns
On Mon, 12 Oct 2020 at 12:31, Filipe Laíns via arch-general <arch-general@archlinux.org> wrote:
On Mon, 2020-10-12 at 13:08 +0200, Jörg Jellissen wrote: Hello,
i have a problem with my access rules on my ~/.gnupg folder. The reason is that i can't sign any e-mails .
the warning message was that the access rules to the folder are too open
but which rights are correct?
i have looked in the folder and my rights looks like this
drwxr-xr-x 3 joerg users 4,0K 12. Okt 12:57 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw-r--r-- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw-r--r-- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg
is this correct for gpg / Kleopatra?
No, please chmod -R go= ~/.gnupg
the translated output was
Detailed error message: Output from gpg2: gpg: WARNING: Insecure access rights of the home directory `/home/joerg/.gnupg ' gpg: write after '-' gpg: pinentry launched (5745 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device
Many thanks for helpers
Seems like there is an issue with the pinentry binary. It does not seem to be compatible with your system. IOCTL are a way to interface with the kernel, they export extra "functions" in file descriptors that you can call. Your system does not support whatever the pinentry is trying to use.
If you still have a problem you could try using a different pinentry binary, there are usually several using different/no graphical toolkit(s): $ ll /usr/bin/*pinentry* -rwxr-xr-x 1 root root 3071 Aug 25 22:35 /usr/bin/pinentry* -rwxr-xr-x 1 root root 56792 Aug 25 22:35 /usr/bin/pinentry-curses* -rwxr-xr-x 1 root root 52536 Aug 25 22:35 /usr/bin/pinentry-emacs* -rwxr-xr-x 1 root root 77760 Aug 25 22:35 /usr/bin/pinentry-gnome3* -rwxr-xr-x 1 root root 90560 Aug 25 22:35 /usr/bin/pinentry-gtk-2* -rwxr-xr-x 1 root root 123664 Aug 25 22:35 /usr/bin/pinentry-qt* lrwxrwxrwx 1 root root 11 Aug 25 22:35 /usr/bin/pinentry-qt4 -> pinentry-qt* lrwxrwxrwx 1 root root 11 Aug 25 22:35 /usr/bin/pinentry-qt5 -> pinentry-qt* -rwxr-xr-x 1 root root 52408 Aug 25 22:35 /usr/bin/pinentry-tty* Perhaps a different one will work (because it may not use that functionality). That helped me once. The first suggestion will more likely help here, though. Best wishes, NTS
Hello, no it doesn't work yet now i have changed like this chmod -R go= ~/.gnupug but in evolution comes a minimal different error Detailed error message: Output from gpg2: gpg: write after '-' gpg: pinentry launched (6884 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device and the ls -lah says drwx------ 3 joerg users 4,0K 12. Okt 13:07 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw------- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw------- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg i forgot to say the i have my key transfered to a yubikey (PIV=Smartcard) but the key is pluged in the usb device Am Montag, den 12.10.2020, 13:31 +0100 schrieb Filipe Laíns:
On Mon, 2020-10-12 at 13:08 +0200, Jörg Jellissen wrote: Hello,
i have a problem with my access rules on my ~/.gnupg folder. The reason is that i can't sign any e-mails .
the warning message was that the access rules to the folder are too open
but which rights are correct?
i have looked in the folder and my rights looks like this
drwxr-xr-x 3 joerg users 4,0K 12. Okt 12:57 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw-r--r-- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw-r--r-- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg
is this correct for gpg / Kleopatra? the translated output was
Detailed error message: Output from gpg2: gpg: WARNING: Insecure access rights of the home directory `/home/joerg/.gnupg ' gpg: write after '-' gpg: pinentry launched (5745 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device
Many thanks for helpers
Seems like there is an issue with the pinentry binary. It does not seem to be compatible with your system. IOCTL are a way to interface with the kernel, they export extra "functions" in file descriptors that you can call. Your system does not support whatever the pinentry is trying to use.
You can use strace to try to figure you exactly what is wrong with your pinentry. I'd recommend to open an issue in the upstream to see if they could implement things in an alternative that does not require use of the problematic IOCTL.
Cheers, Filipe Laíns
On Mon, 12 Oct 2020 at 13:12, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:
Hello,
no it doesn't work yet
now i have changed like this
chmod -R go= ~/.gnupug
but in evolution comes a minimal different error
Detailed error message: Output from gpg2: gpg: write after '-' gpg: pinentry launched (6884 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device
and the ls -lah says
drwx------ 3 joerg users 4,0K 12. Okt 13:07 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw------- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw------- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg
i forgot to say the i have my key transfered to a yubikey (PIV=Smartcard) but the key is pluged in the usb device
OK, in that case make sure scdaemon is installed and running as your user. It's best to start it every time with your graphical shell/session. The private-keys-v1.d will only have a "stub" key and reference the card. Best, NTS
Thanks for the tip why is the service dead or inactive? ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: inactive (dead) since Mon 2020-10-12 15:05:48 CEST; 21min ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Process: 6657 ExecStart=/usr/bin/pcscd --foreground --auto-exit (code=exited, status=0/SUCCESS) Main PID: 6657 (code=exited, status=0/SUCCESS) Okt 12 15:04:47 joerg-desktop systemd[1]: Started PC/SC Smart Card Daemon. Okt 12 15:05:48 joerg-desktop systemd[1]: pcscd.service: Succeeded. i hope it is enough to enable the service again with this command sudo systemctl enable --now pcscd.service Do you think so? Am Montag, den 12.10.2020, 13:20 +0000 schrieb NTS:
On Mon, 12 Oct 2020 at 13:12, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:
Hello,
no it doesn't work yet
now i have changed like this
chmod -R go= ~/.gnupug
but in evolution comes a minimal different error
Detailed error message: Output from gpg2: gpg: write after '-' gpg: pinentry launched (6884 curses 1.1.0 - -: 0) gpg: Authentication failed: Inappropriate IOCTL (I / O control) for the device gpg: signing failed: Unsuitable IOCTL (I / O control) for the device
and the ls -lah says
drwx------ 3 joerg users 4,0K 12. Okt 13:07 . drwx------ 29 joerg users 4,0K 11. Okt 18:48 .. drwx------ 2 joerg users 4,0K 9. Okt 21:13 private-keys-v1.d -rw------- 1 joerg users 2,5K 9. Okt 21:13 pubring.kbx -rw------- 1 joerg users 32 9. Okt 21:13 pubring.kbx~ -rw------- 1 joerg users 7 10. Okt 19:41 reader_0.status -rw------- 1 joerg users 1,3K 9. Okt 21:13 trustdb.gpg
i forgot to say the i have my key transfered to a yubikey (PIV=Smartcard) but the key is pluged in the usb device
OK, in that case make sure scdaemon is installed and running as your user. It's best to start it every time with your graphical shell/session. The private-keys-v1.d will only have a "stub" key and reference the card.
Best,
NTS
participants (3)
-
Filipe Laíns
-
Jörg Jellissen
-
NTS