|
Size: 1572
Comment: New page.
|
Size: 1983
Comment: typo fix
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Gnome Keyring hijacks the connection to GPG Agent (effectively performing a man-in-the-middle attack) | Some versions of Gnome Keyring hijack the connection to GPG Agent (they add themselfs as man-in-the-middle between gpg/gpgsm and gpg-agent) |
| Line 3: | Line 3: |
| with gpg-agent. gpg detects this and issues the following warning: | with gpg-agent. For Ubuntu this is the distribution default, see PlatformNotes. gpg (since version TODO) detects this and issues the following warning: |
| Line 11: | Line 15: |
| according to both the GnuPG developpers and the Gnome Keyring developers. The motivation for hijacking the | according to both the GnuPG developers and the Gnome Keyring developers. The motivation for hijacking the |
| Line 14: | Line 18: |
| # provide a pretty dialog for requesting the user's password # save the user's pass phrase in Gnome Keyring so that the user doesn't need to enter the pass phrase. |
# provide a pretty dialog for requesting the user's passphrase # save the user's passphrase in Gnome Keyring's storage so that the user doesn't need to enter the pass phrase. |
| Line 28: | Line 32: |
| For one way to work around this issue, see [[http://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/|this blog by Simon Josefsson]]. | The easiest way to avoid this problem is to uninstall Gnome Keyring. If that is not an option it is possible to prevent Gnome Keyring from hijacking gpg-agent. # For Gnome on Debian, see [[http://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/|this blog by Simon Josefsson]]. # For a general solution, see: [[http://www.gniibe.org/memo/notebook/gnome3-gpg-settings.html|this blog by Gniibe]]. |
Some versions of Gnome Keyring hijack the connection to GPG Agent (they add themselfs as man-in-the-middle between gpg/gpgsm and gpg-agent) by setting the GPG_AGENT_INFO environment variable to point to itself. It then filters all communication with gpg-agent.
For Ubuntu this is the distribution default, see PlatformNotes.
gpg (since version TODO) detects this and issues the following warning:
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
You can read more about the issue here according to both the GnuPG developers and the Gnome Keyring developers. The motivation for hijacking the connection is that Gnome Keyring wants to:
- provide a pretty dialog for requesting the user's passphrase
- save the user's passphrase in Gnome Keyring's storage so that the user doesn't need to enter the pass phrase.
Unfortunately, Gnome Keyring's implementation of the protocol is incomplete. Thus although many operations work, in particular, working with smart cards results in errors that look like this:
$ echo | gpg2 --sign gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system! gpg: selecting openpgp failed: Unsupported certificate gpg: signing failed: Unsupported certificate
The easiest way to avoid this problem is to uninstall Gnome Keyring. If that is not an option it is possible to prevent Gnome Keyring from hijacking gpg-agent.
- For Gnome on Debian, see this blog by Simon Josefsson.
- For a general solution, see: this blog by Gniibe.