Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decrypt does not work with gpg 2.1.9 without '--pinentry-mode loopback' #137

Closed
dmarsic opened this issue Jan 17, 2016 · 7 comments
Closed

decrypt does not work with gpg 2.1.9 without '--pinentry-mode loopback' #137

dmarsic opened this issue Jan 17, 2016 · 7 comments
Assignees
@isislovecruft
Labels
bug

Comments

@dmarsic
Copy link

dmarsic commented Jan 17, 2016

Decrypt (decrypt()) does not work for me unless passphrase has been previously passed to gpg2.

I'm using:

python-gnupg version 2.0.2
gpg (GnuPG) 2.1.9

My use case is relatively simple:

...     g.decrypt(f.read(), passphrase=passphrase, output=decfile)

If I trace it with strace, I see "Inappropriate ioctl for device " message.

$ strace -fqq -s512 <command>
[pid  3645] <... read resumed> "ERR 83918950 Inappropriate ioctl for device <Pinentry>\n", 1002) = 55

I was able to make it work by:

  • Enabling gpg-agent to run with allow-loopback-pinentry, and
$ grep allow-loopback-pinentry ~/.gnupg/gpg-agent.conf 
allow-loopback-pinentry
  • Adding --pinentry-mode loopback as an additional parameter to gnupg. I added it under GPGBase._make_args() and tested that decryption works.

Can --pinentry-mode loopback be added to gnupg?
@meskio meskio mentioned this issue May 18, 2016
Closed
@isislovecruft
Copy link
Owner

Can --pinentry-mode loopback be added to gnupg?

@dmarsic Yes. Thanks for reporting this! I'll add it now.

@isislovecruft isislovecruft self-assigned this Dec 21, 2016
isislovecruft added a commit that referenced this issue Dec 21, 2016
@isislovecruft
Allow '--allow-loopback-pinentry' and '--pinentry-mode loopback'.
86035d5 
 * FIXES Issue #137.
@isislovecruft
Copy link
Owner

@dmarsic This should be fixed in python-gnupg version 2.2.0. If not, please feel free to reopen!

@sakof
Copy link

sakof commented Jan 6, 2017

I'm quite new to python-gnupg, but it seems to me that I'm having this issue with 2.2.0.

(virtualenv) [root@9e6873a92dbc gnupg]# pip freeze | grep gnupg
gnupg==2.2.0

On fedora:24 docker image from docker hub.

(virtualenv) [root@9e6873a92dbc app]# rpm -qa | grep gnupg
gnupg2-2.1.11-3.fc24.x86_64
(virtualenv) [root@9e6873a92dbc app]# cat /etc/redhat-release 
Fedora release 24 (Twenty Four)
(virtualenv) [root@9e6873a92dbc app]# rpm -qa | grep gnupg
gnupg2-2.1.11-3.fc24.x86_64
(virtualenv) [root@9e6873a92dbc app]# cat /etc/redhat-release 
Fedora release 24 (Twenty Four)

Output:

[GNUPG:] ENC_TO 47DF3239117392C2 1 0
[GNUPG:] PINENTRY_LAUNCHED 387
gpg: encrypted with 2048-bit RSA key, ID 117392C2, created 2016-12-30
      "Autogenerated Key <077ea6bacc2311e698bae8b1fcf138b2>"
gpg: public key decryption failed: Inappropriate ioctl for device
[GNUPG:] ERROR pkdecrypt_failed 83918950
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION

@piccoloaiutante
Copy link

piccoloaiutante commented Feb 25, 2017
edited

I'm having the same issue with 2.2.0 on OSX 10.12.2 while decrypting:

gpg: WARNING: unsafe permissions on homedir `./.gpg\\'
gpg: enabled debug flags: memstat
[GNUPG:] ENC_TO 9F1222C230B6E2F9 1 0
gpg: encrypted with RSA key, ID 30B6E2F9
[GNUPG:] NO_SECKEY 9F1222C230B6E2F9
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 224/32768 bytes in 1 blocks

@tuliocasagrande tuliocasagrande mentioned this issue May 31, 2017
Open
@redshiftzero redshiftzero mentioned this issue Jan 11, 2019
Closed
@redshiftzero redshiftzero mentioned this issue Jan 29, 2019
Closed
@redshiftzero
Copy link

to the above commenters, I ran into similar problems and I would confirm the following (since these comments are from early 2017 you probably solved already ha, but this comment is for the sake of the person googling this error message):

  1. Confirm that options=['--pinentry-mode loopback'] is used: gpg = gnupg.GPG(binary='gpg2', homedir=gpg_key_dir, options=['--pinentry-mode loopback'])
  2. Confirm that permissions are correct on your gpg home directory, file contents, and sub directories: directories should have 700, other files 600.
  3. Confirm that allow-loopback-pinentry has been added to gpg-agent.conf
  4. Confirm no gpg-agent processes are running (i.e. ps aux | grep gpg-agent)

@pwillis-els
Copy link

Using Ubuntu 18.04.5 and gpg 2.2.4, using screen, this same issue still seems to happen, and the above fixes the problem. The question is, why is this error still happening?

@johnnyutahh
Copy link

johnnyutahh commented May 24, 2022
edited

In my tests, the "stanard" python-gnupg module has no need for options=['--pinentry-mode loopback'] on both macOS v10.15.7 and Ubuntu 20.04.4. Plus additional benefits. Details:

https://stackoverflow.com/a/72355824/605356

Also, I find the following bash_alias/command "clears" cached passwords from the gpg-agent, removing the need to kill the gpg-agent process (per below).

alias gpg_clear_cached_passphrases='gpg-connect-agent reloadagent /bye'
  1. Confirm no gpg-agent processes are running (i.e. ps aux | grep gpg-agent)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isislovecruft isislovecruft

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@piccoloaiutante @isislovecruft @dmarsic @redshiftzero @sakof @johnnyutahh @pwillis-els