Debian Bug report logs -
#851440
sign_and_send_pubkey: signing failed: agent refused operation
Reported by: Dominik George <nik@naturalnet.de>
Date: Sat, 14 Jan 2017 23:27:01 UTC
Severity: important
Found in version gnupg2/2.1.17-4
Fixed in version 2.1.17-6
Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Sat, 14 Jan 2017 23:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>:
New Bug report received and forwarded. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Sat, 14 Jan 2017 23:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnupg-agent
Version: 2.1.17-4
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Suddenly, using gpg-agent as ssh-agent with authentication subkeys
stopped working:
sign_and_send_pubkey: signing failed: agent refused operation
I can, however, still see my authentication subkeys in ssh-add -l:
% ssh-add -l
4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/lksh
Init: systemd (via /run/systemd/system)
Versions of packages gnupg-agent depends on:
ii libassuan0 2.4.3-2
ii libc6 2.24-8
ii libgcrypt20 1.7.5-3
ii libgpg-error0 1.26-1
ii libnpth0 1.3-1
ii libreadline7 7.0-1
ii pinentry-qt [pinentry] 1.0.0-1
Versions of packages gnupg-agent recommends:
ii gnupg 2.1.17-4
ii gpgsm 2.1.17-4
Versions of packages gnupg-agent suggests:
ii scdaemon 2.1.17-4
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlh6srIxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8paqMRAAwwZeMyM0qVbdMiKzMkH9ld9/m9My
VOij/H5wV7aa/N6uUn6JRYQ3AWW9+HtxzG4fReinh8Fr+0v/2q1MSZgeK7hD7Pvt
Mo+68nm75L6fMO0mFHBaF62n573XswVknZiqguaA2SCqaTrLkl6AdigGHujJX27H
BARM75TTO00P0GRYf+EptWmdHFry+SwvBPs7h46m2aRIB9Yim2nwmwYh0FYxH6J1
BJxKu5PbRd8mSw/wXrLlA/XCXpCNvvTjK3YMy6KfwrjxVhUdFzDkhGbGniCmlivd
Ey2PxlvgW4Xn18BpwFv7d7Pwjb3kw0unHqG+TMLsbeqykAikVzRgxMOxWOSCJvjf
96KyUjiyAynOU72RnYcE5G4+27sezZCWHNWmBw8LZ9AuqN3WlZO14EEjR9BYoypr
mY3J0gQNaq/9UFIhFqt3qeN2fwuQd8+imqN3GLAgpeOF2fsk6MG70itEKrOMl/Zo
yqUPqPgWFXAtnfr4jf4rVmvcQdDREIrqi91UVDJPYASvimAOYbvRj7ZwLEJDTq/p
a/gRK9C++3DuoGGEeogDDIHXcY4s3L+CCouSGydWbS9YjI9itlp740VV/+yXX6IC
RtW9IV26BgI1GRLvs05moq2oE+tfbjwmhaKkp6s0lu+gedcYOfAPIay02rwXJR/r
R600rwhwZl8GC7I=
=cRUe
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Sun, 15 Jan 2017 16:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Sun, 15 Jan 2017 16:39:09 GMT) (full text, mbox, link).
Message #10 received at 851440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
> stopped working:
>
> sign_and_send_pubkey: signing failed: agent refused operation
>
> I can, however, still see my authentication subkeys in ssh-add -l:
>
> % ssh-add -l
> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
I found out this only happens when using the systemd user service.
Disabling it and manually starting the agent works.
--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer
LPIC-3 Linux Enterprise Professional (Security)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Wed, 18 Jan 2017 09:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Wed, 18 Jan 2017 09:00:03 GMT) (full text, mbox, link).
Message #15 received at 851440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun 2017-01-15 11:35:59 -0500, Dominik George wrote:
>> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
>> stopped working:
>>
>> sign_and_send_pubkey: signing failed: agent refused operation
>>
>> I can, however, still see my authentication subkeys in ssh-add -l:
>>
>> % ssh-add -l
>> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
>> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
>
> I found out this only happens when using the systemd user service.
> Disabling it and manually starting the agent works.
Do you have the dbus-user-session package installed? What pinentry are
you using?
Can you try terminating your manually-launched agent, re-enabling and
restarting the systemd user service, and then telling gpg-agent to
update its "startuptty" ?
gpg-connect-agent killagent /bye
systemctl --user enable --now 'gpg-agent*.socket'
gpg-connect-agent updatestartuptty /bye
then try using gpg-agent for ssh-agent again. does it work?
if so, then the issue has to do with the interaction between pinentry
and the systemd user services, and the fact that the ssh-agent protocol
doesn't have a way for a client to provide any hints or feedback to the
ssh-agent daemon about how to contact the user.
This impedance mismatch between ssh-agent and gpg-agent makes it
difficult for gpg-agent to know how to prompt the user by default. But
if you're using pinentry-gnome3 and dbus-user-session then the agent
will just know automatically how to prompt the user, because the user
services will know to use the same dbus session that pinentry-gnome3
uses to provide feedback to the user.
hth,
--dkg
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Wed, 18 Jan 2017 10:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Wed, 18 Jan 2017 10:30:10 GMT) (full text, mbox, link).
Message #20 received at 851440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
> Do you have the dbus-user-session package installed?
No, I have dbus-x11.
> What pinentry are you using?
pinentry-qt.
> Can you try terminating your manually-launched agent, re-enabling and
> restarting the systemd user service, and then telling gpg-agent to
> update its "startuptty" ?
>
> gpg-connect-agent killagent /bye
> systemctl --user enable --now 'gpg-agent*.socket'
% systemctl --user enable --now 'gpg-agent*.socket'
Failed to enable unit: File gpg-agent\x2a.socket: No such file or directory
Had to do the three of them separately…
> gpg-connect-agent updatestartuptty /bye
>
> then try using gpg-agent for ssh-agent again. does it work?
Yes, that works.
-nik
--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer
LPIC-3 Linux Enterprise Professional (Security)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Thu, 19 Jan 2017 18:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Thu, 19 Jan 2017 18:39:03 GMT) (full text, mbox, link).
Message #25 received at 851440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> > Do you have the dbus-user-session package installed?
>
> No, I have dbus-x11.
Installing dbus-user-session actually fixes it.
I leave it up to you to decide whether this is a bug or using the ssh
feature is not a standard use of the package.
Maybe you shiould at least Recommend dbus-user-session.
-nik
--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer
LPIC-3 Linux Enterprise Professional (Security)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#851440; Package gnupg-agent.
(Tue, 24 Jan 2017 02:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Tue, 24 Jan 2017 02:45:03 GMT) (full text, mbox, link).
Message #30 received at 851440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.1.17-6
On Thu 2017-01-19 13:36:20 -0500, Dominik George wrote:
>> > Do you have the dbus-user-session package installed?
>>
>> No, I have dbus-x11.
>
> Installing dbus-user-session actually fixes it.
>
> I leave it up to you to decide whether this is a bug or using the ssh
> feature is not a standard use of the package.
>
> Maybe you shiould at least Recommend dbus-user-session.
I've put dbus-user-session into the Suggests: for gnupg-agent, and
included some more extensive documentation in
/usr/share/doc/gnupg-agent/README.Debian as well. So i think we can
close https://bugs.debian.org/851440
Thanks for the feedback, Dominik!
--dkg
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility.
(Tue, 24 Jan 2017 02:45:06 GMT) (full text, mbox, link).
Notification sent
to Dominik George <nik@naturalnet.de>:
Bug acknowledged by developer.
(Tue, 24 Jan 2017 02:45:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 21 Feb 2017 07:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 25 18:52:50 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.