Mageia forum

[griffin]

The thunderbird email client plugin enigmail using gnupg2 doesn't work under KDE in Mageia 4. It didn't work in Mageia 3 either. This appears to be due to the addition of gnome-keyring, which seems to block pinentry from asking the user for their passphrase in order to sign/encrypt email, so attempts to send email from thunderbird using enigmail / gnupg2 fail.

The options to work around this are all less than attractive. Uninstalling gnome-keyring doesn't resolve the problem, but it orphans 21 packages. Disabling the enigmail extension in thunderbird re-enables sending email again, but of course then they can't be signed. Uninstalling gnupg2 leaving only gnupg installed with enigmail enabled in thunderbird allows signing of sent email, but that removed a lot of KDE applications and orphaned 169 packages in Mageia 3.

With gnupg2 installed and enigmail enabled in thunderbird and OpenPGP preferences set to find gpg as /usr/bin/gpg2 all the pieces appear to be in place. KDE starts the gpg-agent daemon and sets variable GPG_AGENT_INFO to point to its socket. The user file ~/.gnupg/gpg-agent-info also points to the socket. The user file ~/.gnupg/gpg.conf contains the directive use-agent and specifies the default-key. File ~/.gnupg/gpg-agent.conf contains "pinentry-program /usr/bin/pinentry-qt" and /usr/bin/pinentry-qt is simply a link to /usr/bin/pinentry-qt4 as you'd expect under KDE, while /usr/bin/pinentry doesn't work either.

An OpenPGP debugging log created with all of this set up shows that trying to send an email from thunderbird results in either enigmail or gnupg2 failing with the error "no pinentry". Clearing the OpenPGP preferences entry /usr/bin/gpg2 triggers a warning that gpg-agent can't control passphrase retention because gnome-keyring or another similar service is installed.

This system was upgraded from Mageia 3 to Mageia 4, so I wonder, does this all work in a fresh install of Mageia 4? It looks like this is the result of a conflict between enigmail with gnupg2 and gnome-keyring, but if anyone has made this work I'll appreciate hearing about it. I'd like to be able to sign/encrypt email, but I'd also like to have a full KDE desktop.

[doktor5000]

Dumb question, you made sure that pinentry-qt4 package is installed? You could also try the alternatives like pinentry-gtk2 (as pinentry itself is only for terminal applications IIRC).
On a related note, pinentry-qt4 itself seems to be working, as I'm using that for ssh authentication: https://wiki.mageia.org/en/Packagers_ss ... nning_KDE4

FWIW, you're using the Mageia enigmail packages?

[griffin]

Both the pinentry and pinentry-qt4 packages are installed, and the binaries are in /usr/bin. Yes, I'm using the Mageia 4 thunderbird and enigmail packages. They were updated just a couple of days ago. Here's some evidence of my setup:

Code: Select all

# netstat -lp | grep gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     18474  1932/gpg-agent      /tmp/gpg-GvDCox/S.gpg-agent


Code: Select all

# env | grep GPG
GPG_AGENT_INFO=/tmp/gpg-GvDCox/S.gpg-agent:1932:1


Code: Select all

# cat ./.gnupg/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-GvDCox/S.gpg-agent:1932:1


Code: Select all

# ps -A | grep gpg-agent
 1932 ?        00:00:00 gpg-agent


Code: Select all

# cat ./.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-qt no-grab default-cache-ttl 1800


Code: Select all

# ls -al /usr/bin/pinentry*
-rwxr-xr-x 1 root root   1939 Jan 14  2011 /usr/bin/pinentry*
-rwxr-xr-x 1 root root  50472 Oct 19 02:57 /usr/bin/pinentry-curses*
lrwxrwxrwx 1 root root     12 Feb  7 09:39 /usr/bin/pinentry-qt -> pinentry-qt4*
-rwxr-xr-x 1 root root 158160 Oct 19 02:57 /usr/bin/pinentry-qt4*

What's missing? Or, more likely, what haven't I done, or done wrong?

[doktor5000]

From what I can tell, nothing, all pieces are there.

You could try if pinentry displays something, when asked for a pin. Run it, then enter GETPIN and it should display a pin query:

[doktor5000@Mageia3 ~]$ pinentry-qt
OK Your orders please
GETPIN

http://lists.gnupg.org/pipermail/gnupg- ... 31819.html


If it does do that, than pinentry itself is also working. Sadly I don't use gnupg that often, so can't provide an example
to get it to ask for a key. But IIRC in thunderbird/engimal there's some debug mode, which displays to thunderbirds error console.
Apart from that, you can only try to ask at enigmail upstream directly: http://www.mozilla-enigmail.org/home/index.php
Or take a look at https://wiki.archlinux.org/index.php/Gn ... leshooting for some more hints ...

[griffin]

A test of pinentry-qt showed that it works just like the example you posted.

I've posted this problem to the Enigmail forum: http://sourceforge.net/p/enigmail/forum ... /b4857efd/ .

[griffin]

I've solved this problem.

I removed "nograb" and added "keep-display" and "display :0.0" in ~/.gnupg/gpg-agent.conf to get Thunderbird and Enigmail to work properly for signing and encrypting email using gnupg2 under KDE4 in Mageia 4.

Code: Select all

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 1800
max-cache-ttl 7200
keep-display
display :0.0


I'd like to suggest that Mageia make these gpg-agent.conf parameters the defaults for its rpm installation of the enigmail package, using pinentry-qt for KDE and pinentry-gtk for GNOME, since the present default parameters don't work.

[isadora]

Griffin, please mark the topic accordingly.

Do so by editing the title/subject in the first message of this topic.
Write [SOLVED] to the left of title/subject, that will do.

Thanks ahead!

[doktor5000]

I've solved this problem.

I removed "nograb" and added "keep-display" and "display :0.0" in ~/.gnupg/gpg-agent.conf to get Thunderbird and Enigmail to work properly for signing and encrypting email using gnupg2 under KDE4 in Mageia 4.

Code: Select all

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 1800
max-cache-ttl 7200
keep-display
display :0.0


I'd like to suggest that Mageia make these gpg-agent.conf parameters the defaults for its rpm installation of the enigmail package, using pinentry-qt for KDE and pinentry-gtk for GNOME, since the present default parameters don't work.

Would be nice if you could open a bugreport for that so it's not forgotten - after searching if it hasn't been reported yet already: https://wiki.mageia.org/en/How_to_report_a_bug_properly

[griffin]

Would be nice if you could open a bugreport for that so it's not forgotten - after searching if it hasn't been reported yet already: https://wiki.mageia.org/en/How_to_report_a_bug_properly

Thanks, I'll do that this weekend.

[griffin]

Would be nice if you could open a bugreport for that so it's not forgotten...

I did a clean install of Mageia 4 on a second hard drive, but I could not reproduce the Enigmail problem there. I installed Thunderbird and Enigmail, copied my ~/.thunderbird/* directory to that system, and copied just the bare minimum files to ~/.gnupg on that system -- gpg.conf, pubring.gpg, secring.gpg and trustdb.gpg -- *not* including the gpg-agent.conf file. I ran the Enigmail / OpenPGP setup wizard in Thunderbird, choosing to sign all sent messages.

When I created a test message to attempt to reproduce my enigmail / gnupg2 problem, it surprised me -- it worked!

Therefore I wondered whether I really need gpg-agent.conf on my upgraded Mageia 4 system. I backed up ~/.gnupg/gpg-agent.conf on my upgraded Mageia 4 system, killed gpg-agent, unset the environment variable GPG_AGENT_INFO, then logged out of KDE and logged back in again. The gpg-agent daemon is started with the parameter --keep-display in either /etc/X11/xinit.d/gpg-agent or /etc/profile.d/gpg-agent.sh. These scripts appear to be identical, but only one instance is started. I couldn't find out where, or whether, the system points to pinentry-qt, so I don't really know why it works now, but it simply works, so I'm happy. I have deleted my ~/.gnupg/gpg-agent.conf file.

Searches with grep -R on gpg-agent and pinentry in /etc/* and /usr/share/* show that there's been a lot of development on these components in the past few years, so I conclude that the problems I had with enigmail and gnupg vs gnupg2 starting with Mandriva, Mageia 1 orMageia 2 -- it's been so long that I forget which -- have since been resolved.

Therefore the good news is that I won't need to file a bug report about this.