AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"
Fiedler Roman
Roman.Fiedler at ait.ac.at
Mon Sep 3 18:56:41 CEST 2018
Hello List,
Just for the records: a gnupg2 "ERROR key_generate 33554531" is fixed by sending " %no-protection" via the command-fd. It seems that a password-less key was generated with gpg1 just by not setting a password. With gnupg2 this command is needed.
@Devs: It would be really nice to issue a message like "Refusing to create unprotected key, use %no-protection if you know what you are doing". Would have helped saving quite some time.
Just to continue the gpg1 -> gpg2 migration error message guessing game: what might be the issue with this command?
/usr/bin/gpg --no-options --batch --no-default-keyring --homedir [some-home] --keyring key.pub --lock-never --trust-model always --status-fd 2 --verify 4b7b830243078d63.gpg
[GNUPG:] UNEXPECTED 0
gpg: verify signatures failed: Unexpected error
[GNUPG:] FAILURE verify 38
With gpg1 a similar command should have verified, that the signature is exactly from the single public key stored in "key.pub".
Best regards,
Roman
> Von: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] Im Auftrag von
>
> Hello list,
>
> I am attempting to upgrade software to use gpg2 instead of gpg. After fixing
> the usual "Inappropriate ioctl for device" and "Sorry, we are in batchmode -
> can't get input" messages and applying all the gpg_agent security
> workarounds, I am now stuck at this sequence:
>
> The key generation command
>
> ['/usr/bin/gpg', '--homedir', '/tmp/tmp-3abk6l8', '--with-colons', '--status-fd',
> '2', '--pinentry-mode', 'loopback', '--batch', '--gen-key', '--command-fd', '0']
>
> with the security-sensitive passphrase-input via the command-fd
>
> b'%echo Generating key\nKey-Type: RSA\nKey-Length: 1024\nSubkey-Type:
> ELG-E\nSubkey-Length: 1024\nName-Real: AutomationKey\nExpire-Date:
> 0\n%commit\n',
>
> will generate following output:
>
> gpg: keybox '/tmp/tmp-3abk6l8/pubring.kbx' created
> gpg: Generating key
> [GNUPG:] INQUIRE_MAXLEN 100
> [GNUPG:] GET_HIDDEN passphrase.enter
> [GNUPG:] GOT_IT
> gpg: agent_genkey failed: Operation cancelled
> gpg: key generation failed: Operation cancelled
> [GNUPG:] ERROR key_generate 33554531
> [GNUPG:] KEY_NOT_CREATED
>
> It seems that agent and gpg are going through some "brain-split" episode as
> the errors seem to indicate, that everyone is thinking the other party
> canceled the transfer. The strace indicates, that gnupg itself sends the
> "cancel" request to the agent and is astonished by the result - it cannot even
> give a meaningful error message about the current condition. As there is no
> other syscall activity, all the reasons for have to be in gpg2.
>
> 2138 write(2, "[GNUPG:] INQUIRE_MAXLEN 100", 27) = 27
> 2138 write(2, "\n", 1) = 1
> 2138 write(2, "[GNUPG:] GET_HIDDEN passphrase.enter", 36) = 36
> 2138 write(2, "\n", 1) = 1
> 2138 read(0, "", 1) = 0
> 2138 write(2, "[GNUPG:] GOT_IT", 15) = 15 --- not knowing what gnupg
> successfully got here as there is no passphrase to read
> 2138 write(2, "\n", 1) = 1
> 2138 write(3, "CAN", 3) = 3 --- Gnupg sending cancel
> 2138 write(3, "\n", 1) = 1
> 2138 read(3, <unfinished ...>
> 2142 read(9, "CAN\n", 1002) = 4 --- Agent reading cancel
> 2142 getpid() = 2141
> 2142 write(2, "gpg-agent[2141]: command 'GENKEY' failed: IPC call has been
> cancelled", 69) = 69
> 2142 write(2, "\n", 1) = 1
> 2142 write(9, "ERR 67109141 IPC call has been cancelled <GPG Agent>", 52)
> = 52 --- Agent telling gnupg about cancel
> 2138 <... read resumed> "ERR 67109141 IPC call has been cancelled <GPG
> Agent>", 1002) = 52 -- gpg reading cancel
> 2138 read(3, <unfinished ...>
> 2142 write(9, "\n", 1) = 1
> 2138 <... read resumed> "\n", 950) = 1
> 2138 write(2, "gpg: agent_genkey failed: Operation cancelled", 45) = 45
> 2138 write(2, "\n", 1) = 1
> 2138 write(2, "gpg: key generation failed: Operation cancelled", 47) = 47
> 2138 write(2, "\n", 1) = 1
> 2138 write(2, "[GNUPG:] ERROR key_generate 33554531", 36) = 36
> 2138 write(2, "\n", 1) = 1
> 2138 write(2, "[GNUPG:] KEY_NOT_CREATED ", 25) = 25
> 2138 write(2, "\n", 1) = 1
> 2138 read(0, "", 8192) = 0
> 2138 munmap(0x7faad0a44000, 65536) = 0
> 2138 exit_group(2) = ?
> 2138 +++ exited with 2 +++
>
> Does someone know how to fix that?
>
> LG Roman
More information about the Gnupg-users
mailing list