Hello all, I’ve been pulling my hair out for most of the day trying to get this sorted out. I’ve been trying to get GPG set up for email signing and encryption, but am having no luck at all. I went into Seahorse to try and generate a keypair, but when going to new, I have NO options for PGP keys. I finally reverted to doing it on the CLI, which worked fine (or so it would seem). The keypair I generated still are not showing up in Seahorse though. What’s more, I put the fingerprint in to Evolution, but when I attempt to sign an email, I get the following error:
Could not create message.
Because "gpg: writing to ‘-’
gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled
", you may need to select different mail options.
On Wed 18 Feb 2015 06:16:01 PM CST, ardichoke wrote:
Hello all, I’ve been pulling my hair out for most of the day trying to
get this sorted out. I’ve been trying to get GPG set up for email
signing and encryption, but am having no luck at all. I went into
Seahorse to try and generate a keypair, but when going to new, I have NO
options for PGP keys. I finally reverted to doing it on the CLI, which
worked fine (or so it would seem). The keypair I generated still are not
showing up in Seahorse though. What’s more, I put the fingerprint in to
Evolution, but when I attempt to sign an email, I get the following
error:
> Could not create message.
> Because "gpg: writing to ‘-’
> gpg: signing failed: Operation cancelled
> gpg: signing failed: Operation cancelled
> ", you may need to select different mail options.
What’s more, none of the logs show any relevant data… I’m completely
stumped, any help would be appreciated.
Hi
I just ran;
gpg --gen-key
Answered the questions, then in Evolution Preferences, Mail Accounts
and highlight the account, press edit, then in the ‘Security’ tab added
the OpenGPG Key ID generated under ‘pub’ pressed OK, then compose
and send a gpg signed message, no seahorse or keyring involved…
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.36-38-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
I’m sorry if I was not clear, I also generated a key using the command you mentioned and added the appropriate fingerprint to Evolution (under the ‘security’ tab). After doing that, when trying to send a signed email, I got the Evolution error which I posted in my original post. The fact that seahorse isn’t working properly is not important, except that it annoys me when things are broken so I want to fix them.
I use KDE, which is part of why I have not replied previously. And you seem to describe starting from scratch, which is the other part of why I have not replied previously.
I did run into gpg problems. I reported them as Bug 914625. Although that bug is listed as solved, there are still problems.
As best I understand the bug, it is related to the presence of older keys (from pgp2 days). If you don’t have any of those, then it is probably not the source of your problems. But if you do have some of those, then take a look at that bug report.
I don’t use “evolution”, though I do have Gnome installed. Once I had a work-around for the gpg problems, I did test it in Gnome. Seahorse seemed to be working okay. But I did not try sending any signed email. I’m pretty sure that if you have old pgp2 keys and have not applied the work-around, you will run into problems on Gnome. I’m not sure if they will look like the problems that you are seeing.
Also check the permissions of “$HOME/.gnupg”. It should not be group or publicly readable, or some software will complain.
PREFACE: This post is long… unnecessarily long… but it became like a stream of consciousness thing, I kept thinking of things to try as I was writing it so I wanted to leave it intact.
Thank you for taking the time to reply… any feedback is better than dead silence. The latter makes you feel like you’re shouting into the void.
I don’t have any old keys, this is a clean setup (new job, new (to me) laptop, new install, new keys). Permissions on ~/.gnupg are appropriate (0700), I allowed gpg itself to create that directory, so they had better be right! What’s more, gpg itself works fine… that’s how I generated the keys in the first place, and I was able to sign/encrypt test files on the command line without a problem. I even installed GNU Privacy Assistant, and it shows my key just fine. It seems like the binding between gnome applications and gpg is somehow broken, but I can’t figure out how.
I did notice that part of the error message given when trying to sign emails in Evolution (gpg: signing failed: Operation cancelled) is the same as the error given on the command line if you type your private key password in wrong. The thing is, Evolution is never even popping up to ask me for my key password in the first place! What’s more, as mentioned before, Seahorse doesn’t list my gpg keys, even though gpg --list-keys at the command line does, and doesn’t give the option to create a new PGP key in the new item dialog. It’s as if it is oblivious to the fact that gpg is present on the system.
Of course, to top it all off, I don’t see any relevant errors when watching journalctl -f while testing this, and I can’t figure out a way to run either evolution or seahorse verbosely from the command line to see if that gives me any clues. I’m almost at the last resort of trying to run them with strace… but I’m rarely able to glean useful information from that output.
While writing this response, of course, I decide to try a non-Gnome interface for GPG. So I installed GNU Privacy Assistant. When I launch it, it shows my key and i can see all the relevant information… however, if I try and generate a new key, it throws an error referring to gpgme. Attempting to do anything that would require inputting the password also silently failed… so I ran gpa from the command line… lo and behold, it starts prompting for passwords at the command line any time I tried doing something that failed before. It appears that the root of at least some of my problems may be a failure to pop up a password prompt.
I did some more digging and found that gpgme uses pinentry to prompt for passwords. Checked it out and while pinentry, pinentry-tty and pinentry-curses were all installed… pinentry-gtk was NOT. Installed pinentry-gtk2 package and now sending signed and/or encrypted email from Evolution works. GPA also works properly now. Seahorse still fails to display any GPG keys or give the option for generating them, but I guess that’s not such a big deal since I can just use GPA instead (it would be nice if the baked-in programs actually worked as intended though).
I guess my question now becomes, where should I file the report that pinentry-gtk2 isn’t properly marked as a dependency of Evolution, since not having it breaks functionality in Evolution.
I get that error in KDE also, under some circumstances. I think it’s a gpa problem.
However, I think you have found a bug, and you probably should report it.
I did just login to Gnome in Tumbleweed. And seahorse does not show any gpg keys. But with opensuse 13.2 on the same computer all is fine (again with Gnome).
I’m guessing here. The most recent versions of gpg have changed how they communicate with gpg-agent. Previously, they used an environment variable “$GPG_AGENT_INFO”. The newest version instead uses a unix domain socket (or named pipe) that is in “$HOME/.gnupg”. My guess is that Gnome has not caught up with this change in gpg.
Yeah, if I could figure out HOW to file a bug report, I would. Their bugzilla setup has to be the most strange and convoluted thing I’ve ever seen. This is making me long for the days when I filed bugs in FlySpray.
Yeah, I saw that, my concern is the fact that neither Tumbleweed or Factory are listed in the Operating System list there… so what OS should I be filing the bug under? Perhaps I shouldn’t be so picky about doing everything “right” and just throw it against the wall, see what sticks…
Hi, you shouldn’t need the pinentry thing. That’s not part of GNOME. GNOME has an integrated GPG agent in the gnome-keyring package that does not use this at all. Upstream GnGPG doesn’t like this and has been intentionally trying to break GPG for GNOME users with newer versions of GPG. And nobody in GNOME is working on keeping up with the changes (which would require us to write such a pinentry, but one that is actually integrated with gnome-keyring of course). Basically the situation is that the GnuPG developer does not want GNOME to remember your passphrase, but GPG would not be worth supporting at all for GNOME if users had to type a password each time to send an email: that would suck, right? Possibly the situation is irreconcilable because the GnuPG guy seems impossible to work with, but who knows what the future holds. There is a mailing list thread about this here: http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028689.html
Anyway. there are two streams of GnuPG releases: 1.x and 2.x. For the time being the 1.x releases are still compatible with GNOME. So distros need to ensure seahorse is configured (at compile time!) to use only gpg1 and not gpg2. For versions prior to 3.16 (which isn’t out yet, but will be released later this month) you will also need this patch: https://git.gnome.org/browse/seahorse/commit/?id=48362cd12c80b941b2371ceaab3decb74811ed7a
Lastly, update folks must also take care when updating gpg1 to always test it with gnome-keyring before submitting the update, because I have no clue how long that will continue to work for. Of course, if/when a future gpg1 update breaks gnome-keyring, it will probably be a security update, so…
P.S. I’m not an expert on GPG or this situation or anything and am not the right guy to answer technical questions regarding this: I’m just posting the basics as I see it.
P.S.S. Unrelated note: Seahorse 3.14.0 is super broken for SSH as well. That’s a Seahorse bug: you really really want 3.14.1. That’s already in Factory.
To be clear: pinentry-gtk2 is not a dependency of Evolution and should not be required by Evolution. Most likely gnome-keyring’s GPG agent is broken in openSUSE. It still works great for me with Evolution, but I am using another distro.
Which simply says that gnupg developers do not want gnome keyring agnet to pretend it is gnupg agent because it does not implement all functionality of gnupg agent. That GNOME developers misused it for caching passphrases is unforunate side effect.
If you care so much why do not you reimplement gnome shell passphrase dialogue using pinentry interface as suggested in thread you mentioned?
I doubt openSUSE would remove gpg1 anytime soon, even if it was not a dependency of GNOME, since gpg2 was released in 2006 yet gpg1 is still getting new upstream releases. If you do remove it then you should seriously consider patching the GPG functionality out of seahorse and gnome-keyring.
He says both things. I’ll just quote Werner, from his first post in that thread:
There are no passwords to save. You do not want to do that by default.If users figure out a way to do that anyway, they may do that but we
should not make it too easy for them. Recall that we are talking about
passphrases to protect a private key and not about passphrases used in
any authentication or encryption protocol.
The way forward for GNOME would be to use the pinentry interface. Should work. He would still oppose this, but I highly doubt he’d do anything to break it.
If you care so much why do not you reimplement gnome shell passphrase dialogue using pinentry interface as suggested in thread you mentioned?
Not enough time in the day. If gpg1 stops working then I would probably stop using GPG. It’s an unfortunate situation, but that’s life. Anyway, hope I provided enough info to help.
I do not find gpg1 in the repos. If I search “software.opensuse.org”, I can only find unstable packages. It seems to me that it was removed long ago, though some users are building it in OBS (giving unstable packages). “/usr/bin/gpg” is a symlink to “gpg2”.
You’re right! Didn’t know that. I think you’re the only distro that’s gotten rid of it. (My guess is sometime in the past two years, because I think I remember reading about that now that you’ve pointed it out.)
Well, this sucks a lot. For gnome-keyring, I suspect the proper fix is to build with --disable-gpg-agent. For seahorse, I’m not sure: you might have to bring back the original gpg or give up on seahorse (or dig in and really fix it). Best of luck…
I’m exepercing the exact same issue, as the post’s creator, with both Evolution and Thunderbird+Enigmail, even Seahorse doesn’t even support the creation of a GPG key, so I’ve generated from terminal and implemented in both mail clients but Signing/Encrypting gives this error:
Because "gpg: writing to '-'
gpg: signing failed: No such file or directory
gpg: signing failed: No such file or directory
", you may need to select different mail options.
I’ll just quote Werner, from his first post in that thread: