Firefox plugin not prompting for gpg password

[marceloneil]

browserpass: v1.0.1
browserpass plugin: v1.0.2
pass: v1.6.5
firefox: 50.1.0
linux: x86_64 Linux 4.8.13-1-ARCH

I've been using the chrome plugin with no problem, but I've been experiencing a slight issue with the firefox plugin. Whenever I try to use the plugin when the password for my gpg key has NOT been cached, the plugin immediately closes and I get this error. I am not prompted for the password like in chrome.

When the password is cached (ie. I recently used the chrome plugin/pass), the firefox plugin works fine and enters in my password. I still get this output however:

Let me know if there is anything else I can do to resolve this bug.

Thanks,

Marcel

[Timvde]

Same here, but on Nightly I get a different output in the browser console.

Cannot send message: Other side disconnected: ["MessageChannel:Response", {result:4, messageName:"20-0", recipient:{}, error:{}}]  ExtensionUtils.jsm:1091
	sendAsyncMessage resource://gre/modules/ExtensionUtils.jsm:1091:5
	_handleMessage/deferred.promise< resource://gre/modules/MessageChannel.jsm:671:9
stderr output from native app com.dannyvankooten.browserpass: 2017/01/06 11:28:19 exit status 2

[DamienCassou]

I have the same problem.

[kamidon]

I also have this problem. I think there must be something different about the environment available to the browserpass program when invoked by firefox vs. when invoked by chrome because I was able to confirm that if I run the browserpass command directly in a terminal and feed it the input it expects to get to be asked to retrieve a password, it does pop up the gpg-agent passphrase dialog and retrieve the password. Somehow the pass command when run by browserpass run by firefox isn't able to find the agent to trigger the passphrase request and thus the pass command fails and browserpass returns an error to firefox

I'm not sure what is different about the environment when firefox is running browserpass that triggers this nor whether there is anything that the extention author can do to fix it beyond failing a more specific bug with the firefox team.

[marceloneil]

@kamidon I don't think it is a bug with firefox, passff seems to work fine for me.

[kamidon]

The reason why I think this may be different is that the passff implementation explicitly passes the environment variables firefox knows about to the pass executable in the params to subprocess.call(). I suspect that the sendNativeMessage() call that starts and interacts with browserpass uses a more minimal (or empty) set of environment variables and that is preventing the gpg-agent from being found. To verify this, in a terminal I tested both pass and browserpass with an empty environment except for PATH and HOME, which are needed to find the pass executable and the default location of the password store. No GPG passphrase dialog is popped up and I get:

$ env -i PATH=/usr/bin HOME=/home/myuser browserpass < tmp/bp.test.input
2017/02/08 19:39:11 exit status 2
$ env -i PATH=/usr/bin HOME=/home/myuser pass a-password
gpg: decryption failed: No secret key

If I run these commands in the same terminal without the env -i PATH=/usr/bin HOME=/home/myuser prefix, then I do get the dialog and they succeed.

[marceloneil]

Oh interesting, that makes a lot of sense.

[dannyvankooten]

Can someone please try manually building the Browserpass binary with 343722b to see if that fixes anything? It invokes the gpg command directly instead of invoking pass.

If it still doesn't trigger the GPG agent, can you please invoke Chrome from the command line using:

google-chrome --enable-logging --v=1

That should enable logging and show all logging statements from Browserpass too which would be super helpful here. :)

[marceloneil]

Alright, I built the binary browserpass-linux64 (not the extensions) with 343722b. Google Chrome has always worked for me - but it got stuck loading with this binary - here is the output:

[marcel@GLaDOS browserpass]$ google-chrome-stable --enable-logging --v=1
[3,1520057216:15:30:46.696255] Native Client module will be loaded at base address 0x00003bf300000000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    76    0    76    0     0    511      0 --:--:-- --:--:-- --:--:--   571
[Browserpass] 2017/02/14 10:30:59 Password store is /home/marcel/.password-store
[Browserpass] 2017/02/14 10:30:59 Searching for github
[Browserpass] 2017/02/14 10:31:00 Password store is /home/marcel/.password-store
[Browserpass] 2017/02/14 10:31:00 Reading password file /home/marcel/.password-storeProgramming/github/marceloneil.gpg
[Browserpass] 2017/02/14 10:31:00 exit status 2

Just to be clear, the exit status 2 output occurred after I alt-tabbed back to the terminal.

I haven't tested FireFox yet, which this ticket was originally about, but I can do that too if you want @dannyvankooten. I think the issue might lie in the broken directory outputted in the second last line.

[lluixhi]

Interesting..
I have the same issue here in FireFox 51, but I noticed that after adding this patch:

--- a/browserpass.go
+++ b/browserpass.go
@@ -96,6 +96,7 @@
 func readPassFile(file string) *bytes.Buffer {
 	var out bytes.Buffer
 	cmd := exec.Command("pass", file)
+	cmd.Env = os.Environ()
 	cmd.Stdout = &out
 	err := cmd.Run()
 	checkError(err)

The password dialog will pop up occasionally, but not all of the time -- I haven't yet figured out why -- and when the password dialog does show up, it unlocks but I have to fill the field a second time.

[Railslide]

Interestingly enough, I noticed that I experience the same issue when using Gnome as desktop environment, but not on Unity (same machine for both cases, Ubuntu 16.04 with Firefox 52).

[marceloneil]

@Railslide interesting, could it be related to gnome-keyring? https://wiki.gnupg.org/GnomeKeyring

[Railslide]

I've checked but it doesn't seem to be related to the issue described there (i.e. gnome-keyring hijacking gpg-agent) - it uses gpg-agent in both cases @marceloneil

[Thor77]

Can still reproduce this error.
Google Chrome is working fine for me, though (even with the binary built from git master).

[ariselseng]

Is there any method where I can fix this temporarily? I have Ubuntu Gnome 17.04. I have tried to do "PASSWORD_STORE_DIR=/home/USER/.password-store firefox" in the terminal, but no luck.

[Thor77]

@cowai You can unlock your key before by executing pass <any password in your store> (or any other action requiring you to unlock your key). After that you can use browserpass normally.

[mandarvaze]

@Thor77
Didn't work for me.

After I use pass <any password in your store> do I need to restart firefox ?

[Thor77]

@mandarvaze no, you don't. Are you prompted for your password after executing the pass-command and if not, are you sure your gpg-agent is setup correctly?

[mandarvaze]

@Thor77 when I execute pass command from the terminal, I am shown a curses based dialog GUI where I need to enter the passphrase.

if I run open -a firefox from the terminal, after I provide the passphrase on the same terminal, then browserpass is able to autofill (I got this idea from #72 )

[Thor77]

Hm, is your gpg-agent set up in a non-standard way?

[mandarvaze]

@Thor77 I don't know (whether it is set in a non-standard way)

I didn't do any explicit setup for this ?

I just executed following commands

brew upgrade pass   # This upgraded gpg
brew link --overwrite gnupg
gpg2 --full-generate-key

Currently the following command is listed in the output of ps -ef | grep gpg

gpg-agent --homedir /Users/mandar/.gnupg --use-standard-socket --daemon

How can I check whether gpg-agent is set correctly, and whether it is set in a "standard" way.

[DamienCassou]

I started a thread about this issue at https://mail.mozilla.org/pipermail/dev-addons/2017-July/002966.html.

[DamienCassou]

I also started a thread about this issue on the gnupg mailing list: https://lists.gnupg.org/pipermail/gnupg-users/2017-July/058660.html

[Thor77]

I just noticed it seems to be working now with the latest Nightly (56.0a1 (2017-07-30)).
I can select a password and get a pinentry-prompt as intended.

[DamienCassou]

@Thor77 I have exactly the same Nightly but I still don't get the pinentry. I get this instead in the console:

stderr output from native app com.dannyvankooten.browserpass: [Browserpass] 2017/07/31 20:15:17 exit status 2
stderr output from native app com.dannyvankooten.browserpass: gpg: decryption failed: No secret key

[Thor77]

Hm, you're right. On my laptop with the exact same setup it doesn't work either.

[DamienCassou]

I played with the environment variables and made sure the command env returns the same output when launching the native application from Chrome and from Firefox. The bug is still present... I also checked the standard input in both cases, it is exactly the same. I'm lost.

[DamienCassou]

Can you please try to add the following to your ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-gtk

then kill you gpg-agent

$ pkill -TERM gpg-agent

and try to use browserpass in Firefox? What happens? Do you see a pinentry window?

I would also be interested in your desktop environment and operating system.

[mandarvaze]

@DamienCassou I'm on macOS, firefox 55.0 (64-bit)

[DamienCassou]

Mandar Vaze <notifications@github.com> writes:

@DamienCassou I'm on macOS, firefox 55.0 (64-bit)

do you have the problem with Firefox not showing the pinentry? Is there another pinentry binary you could use?

…

-- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill

[mandarvaze]

@DamienCassou I am not sure when the pinentry is supposed to be shown.

If I've "unlocked" the password from the terminal, then "search" works. "auto-fill" does not work.
See #23 (comment)

which pinentry shows /usr/local/bin/pinentry

$ pinentry
OK Pleased to meet you
^C

[maximbaz]

A pinentry with GUI is needed if you want it to open in the browser. See this comment for an example.

There is a PR #159, that also fixes gpg discovery, could be relevant.

Who can still reproduce this issue? Could you try the code from #159 (there are binaries attached) together with configuring the GUI pinentry, and confirm if there is still an issue?

[Thor77]

@maximbaz Can still reproduce the issue on master, can't with #159 applied, though.

[maximbaz]

Awesome news! I merged #159. I'll keep this bug open until I make a new release, please let me know if anyone still reproduces this issue on the latest master.

[maximbaz]

Fixed in v2.0.0! 🎉