New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPG fails to load pinentry [RESOLVED] #69

Closed
ademariag opened this Issue Apr 11, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@ademariag
Copy link
Collaborator

ademariag commented Apr 11, 2018

For posterity. Would be good to have a better/more helpful error message and a troubleshooting section.

Problem [RESOLVED]

I have experienced this on my linux desktop
Basically GPG is unable to call the pinentry-curses (or -tty) to read the password on the command line.

./compiled/my_target/vault/provision.sh
potential problem: ERROR: pkdecrypt_failed 83918950
Traceback (most recent call last):
  File "/usr/local/google/home/ademaria/kapitan/bin/kapitan", line 11, in <module>
    load_entry_point('kapitan==0.14.0', 'console_scripts', 'kapitan')()
  File "/usr/local/google/home/ademaria/kapitan/lib/python3.6/site-packages/kapitan/cli.py", line 230, in main
    secret_gpg_reveal_raw(gpg_obj, args.secrets_path, None, verify=(not args.no_verify))
  File "/usr/local/google/home/ademaria/kapitan/lib/python3.6/site-packages/kapitan/secrets.py", line 249, in secret_gpg_reveal_raw
    revealed = re.sub(SECRET_TOKEN_TAG_PATTERN, _reveal_gpg_replace, line)
  File "/usr/local/google/home/ademaria/kapitan/lib/python3.6/re.py", line 191, in sub
    return _compile(pattern, flags).sub(repl, string, count)
  File "/usr/local/google/home/ademaria/kapitan/lib/python3.6/site-packages/kapitan/secrets.py", line 220, in reveal_gpg_replace
    return secret_gpg_read(gpg_obj, secrets_path, token, **kwargs)
  File "/usr/local/google/home/ademaria/kapitan/lib/python3.6/site-packages/kapitan/secrets.py", line 83, in secret_gpg_read
    raise GPGError(dec.status)
kapitan.secrets.GPGError: decryption failed

The solution is

export GPG_TTY=`tty`

other helpful commands

sudo apt-get install pinentry-curses
sudo update-alternatives --config pinentry

Debug it with

eval $(gpg-agent --daemon --debug-level 9 --pinentry-program /usr/bin/pinentry-curses | tee /dev/tty)

@ademariag ademariag added the bug label Apr 11, 2018

@adrianchifor

This comment has been minimized.

Copy link
Collaborator

adrianchifor commented Apr 11, 2018

Good point. Had the same problem on macOS with MacGPG2. If using the UI for password entry, this was solved by adding

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

to ~/.gnupg/gpg-agent.conf and reloading the gpg-agent.

@ramaro

This comment has been minimized.

Copy link
Collaborator

ramaro commented Sep 6, 2018

This can also happen if you have a mix of gpg version 1 and version 2 binaries in your $PATH. Please ensure gpg version 2 is the only/first version your $PATH will find.

@adrianchifor

This comment has been minimized.

Copy link
Collaborator

adrianchifor commented Nov 2, 2018

Closing as it contains solutions. Remains searchable in case someone encounters this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment