gpg 2.1: no error message if gpg-agent or pinentry fail

Werner Koch wk at gnupg.org
Wed Mar 11 16:45:52 CET 2015 

On Tue, 10 Feb 2015 18:44, patrick at enigmail.net said:
> If pinentry can't be launched, then gpg 2.0 will report an error saying
> something like "problem with gpg-agent". But if you try to decrypt a
> message with gpg 2.1 and pinentry doesn't work, then there is absolutely
> no error message. You simply see "missing key xyz" messages.

Well I see an error message here.  To trigger such an error I use this
script as pinentry:

--8<---------------cut here---------------start------------->8---
#!/bin/sh

echo "OK - what's up?"
while read cmd rest; do
  echo "cmd=$cmd rest=$rest" >&2
  case "$cmd" in
    \#*)
      ;;
    GETPIN)
      echo "D ${PINENTRY_USER_DATA}"
      echo "ERR 42"
      ;;
    BYE)
      echo "OK"
      exit 0
      ;;
    *)
      echo "OK"
      ;;
  esac
done
--8<---------------cut here---------------end--------------->8---

Trying to decrypt something gives these messages:

  [...]
  gpg: public key decryption failed: Tribute to D. A.
  [GNUPG:] ERROR pkdecrypt_failed 67108906
  [GNUPG:] BEGIN_DECRYPTION
  [GNUPG:] DECRYPTION_FAILED
  gpg: decryption failed: No secret key
  [GNUPG:] END_DECRYPTION

Right you can't see the source of the error.  Thus we need to look at
the ERROR status line:

  $ gpg-error 67108906
  67108906 = (4, 42) = (GPG_ERR_SOURCE_GPGAGENT, GPG_ERR_TRIBUTE_TO_D_A) = (GPG Agent, Tribute to D. A.)
 
Okay, so the source is gpg-agent.  This is not correct because Pinentry
should have set an error source which it did not.  There are also some
other errors which technically correctly assign gpg-agent as source of
the error but the actual cause for the error is a problem with Pinentry
and thus it should say so.  To trigger such an error use "FOO 42"
instead if "ERR 42" in the pinentry script.

I now fixed the gpg-agent to assign Pinentry as error source for all
unexpected errors.  With that change the decryption shows this:

  gpg: public key decryption failed: Tribute to D. A.
  [GNUPG:] ERROR pkdecrypt_failed 83886122
  [GNUPG:] BEGIN_DECRYPTION
  [GNUPG:] DECRYPTION_FAILED
  gpg: decryption failed: No secret key
  [GNUPG:] END_DECRYPTION

The dame as above but the error code changed:

  $ gpg-error 83886122
  83886122 = (5, 42) = (GPG_ERR_SOURCE_PINENTRY, GPG_ERR_TRIBUTE_TO_D_A) = (Pinentry, Tribute to D. A.)
  
Thus a script may now detect that this is a problem with pinentry.

It would of course be possible to print the error source in the human
readable messages but I hesitate to do this due to the required string
changes.  It might be possible to print a separate help message if such
a condition is detected. 

There may be other error sources and thus I think it is better to help
the user by better describing how to debug the IPC between gpg-agent and
gpg.  With that the cause for the problem can be easily seen.  All error
codes from calling pinentry are now also written to the gpg-agent log
with "--debug 1024".


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list