Can't get gnupg to work: no pinentry

gefrit42 · August 15, 2022, 1:55pm

Hi i think this is now fixed,

I have just tested this problem, am on nixos-22.05 with KDE ad desktop environment.
for me it worked out out box.

my config:

programs.gnupg.agent = {                                                      
  enable = true;
  enableSSHSupport = true;
  pinentryFlavor = "qt";
};

The gpg-agent will start with the selected pinentry flavor

The nix option advice the pinentry flavor to be used with your desktop environment, if you pick the non advised one the agent is somehow slow:

Unfortunately I had a problem with my server that doesn’t have a desktop environment.
on that the gpg-agent was not falling back to the command line and was just giving error.
The solution was to used the “curses” flavor.

programs.gnupg.agent = {                                                      
  enable = true;
  enableSSHSupport = true;
  pinentryFlavor = "curses";
};

But weirdly the “curses” flavor doesn’t work when X display is activated, in other word when a desktop environment is there.
This is not very nice because now i have to handle two different config …
Digging a little bit it seems that the issue come from the gnupg that in one case will try to use the tty and in the other case will try to use X display and there is no easy way to force it.

Blockquote
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
Since the ssh-agent protocol does not contain a mechanism for telling the agent on which display/terminal it is running, gpg-agent’s ssh-support will use the TTY or X display where gpg-agent has been started.
Blockquote

@Seedscrapper: also for me i had to reboot.

gefrit42 · August 15, 2022, 2:50pm

hello all,

looking more in detail, actually it detect out of box the correct pinentry flavor, so in most of the case it the pinentryFlavor option is even not needed.

github.com

NixOS/nixpkgs/blob/879121648fe522b38cc1cf75aef160a14a1f2e7b/nixos/modules/programs/gnupg.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.programs.gnupg;

  xserverCfg = config.services.xserver;

  defaultPinentryFlavor =
    if xserverCfg.desktopManager.lxqt.enable
    || xserverCfg.desktopManager.plasma5.enable then
      "qt"
    else if xserverCfg.desktopManager.xfce.enable then
      "gtk2"
    else if xserverCfg.enable || config.programs.sway.enable then
      "gnome3"
    else
      null;

This file has been truncated. show original

Sandro · December 28, 2022, 1:00am

improved for headless systems by nixos/gnupg: default to a reasonable pinentry program on headless sys… · NixOS/nixpkgs@9e44ffc · GitHub

nrbray · January 12, 2023, 1:14pm

After following all comments and suggestions I am struggling here on a laptop - it seems pinentry-curses was invoked, but I got no chance to type anything, as it ran to error without delay.

[nrb@mintanin:~]$ gpg --homedir . --quick-gen-key hovno
About to create a key for:
    "hovno"

Continue? (Y/n) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

[nrb@mintanin:~]$

A very basic ‘new’ local NixOS install:

  nixpkgs.config.allowUnfree = true;
  services.pcscd.enable = true;
  programs.gnupg.agent = {
    enable = true;
    pinentryFlavor = "curses";
    enableSSHSupport = true;
  };
  environment.systemPackages = with pkgs; [
  git 
  rage
  pass # https://search.nixos.org/packages?show=pass 
  gnupg
  pinentry-curses
  ]

Debug:

generator a better chance to gain enough entropy.
gpg: DBG: [no clock] keydb_release
gpg: DBG: chan_4 <- OK Pleased to meet you, process 71510
gpg: DBG: connection to the gpg-agent established
gpg: DBG: chan_4 -> RESET
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION ttyname=/dev/pts/0
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION ttytype=screen
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION putenv=XDG_SESSION_TYPE=tty
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION lc-ctype=en_GB.UTF-8
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION lc-messages=en_GB.UTF-8
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> GETINFO version
gpg: DBG: chan_4 <- D 2.3.7
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION allow-pinentry-notify
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> OPTION agent-awareness=2.1.0
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> RESET
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> GENKEY --timestamp=20230112T133338
gpg: DBG: chan_4 <- S INQUIRE_MAXLEN 1024
gpg: DBG: chan_4 <- INQUIRE KEYPARAM
gpg: DBG: chan_4 -> D (genkey(ecc(curve 7:Ed25519)(flags eddsa comp)))
gpg: DBG: chan_4 -> END
gpg: DBG: chan_4 <- ERR 67108949 No pinentry <GPG Agent>
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

Sandro · March 15, 2023, 9:49am

Don’t set home directory. It moves the agent socket location to some hashed directory for no reason and then starts its own agent because it cannot find the socket.

TornaxO7 · June 13, 2023, 12:11am

May I ask if there’s now a solution for this?

aJWXSLWNVHRrz · June 13, 2023, 2:23am

yes, do what:

@efx said … and what
@kamentomov said. !! important do not forget to edit the ~/.gnupg/gpg-agent.conf !!

vccs · September 20, 2023, 9:32am

It seems gpg is still broken on NixOS. I need to jump through lots of hoops to do something I can do out of the box on other distributions.

colemickens · September 20, 2023, 1:11pm

I use gpg many hours of every day. Can you elaborate on what is broken?

edit: very unimpressed with Discourse somehow taking my draft and turning it into an edit. wtf.

wamserma · September 20, 2023, 2:18pm

I think the problem is that documentation for GnuPG and Pinentry is strewn across the Wiki (but there is no GPG/GnuPG page), discourse, the nix-dev-mailing-list etc. but no official documentation.
@colemickens Would you mind creating some documentation based on your config? Preferably a section in the NixOS manual?
Will be happy to review the PR.

colemickens · September 20, 2023, 3:42pm

I’m using home-manager to configure my gpg/gpg-agent, and I’m a bit occupied, so I’m not sure I can commit to that. However…

I simplified my gpg config (mostly cleaning un-used cruft from ages ago when I was testing various combos of scdaemon / pscslite / disable-ccid) in the meantime, re-tested, and pushed.

NOTE: At one point in time I was also convinced that it was important to restart the systemd user services for gpg-agent*, for example after killing gpg-agent by hand, rather than letting gpg naively trigger it to startup. I still have a (not-cleaned-up) fix-gpg script that does that.

This the current version that works for me:
https://github.com/colemickens/nixcfg/blob/52e6f2600b1f01dbd223652849caa32d9a4ef42e/mixins/gpg-agent.nix

digitalrobot · October 2, 2023, 12:57pm

I’m using home-manager standalone with Hyprland and after trying some suggestions the following works it for me.

services.gnome-keyring.enable = true;

programs.gpg.enable = true;
services.gpg-agent = {
  enable = true;
  pinentryFlavor = "gnome3";
};

Optional i have home.packages = [ pkgs.gnome.seahorse ]; installed to have a GUI

kiarie404 · September 19, 2024, 12:10pm

for those who want a quick fix. Eg you need to create a key before pushing a small change on github from a bootable flash.

You can disable pin entry

create a config file : ~/.gnupg/gpg.conf
Add these 2 lines to the config file:

use-agent
allow-loopback-pinentry

run the key generation using the --pinentry-mode flag as shown below

gpg --full-generate-key --pinentry-mode loopback

This is with the assumption that part of your nixos config file looks like this :

  services.pcscd.enable = true;
  programs.gnupg.agent = {
   enable = true;
   enableSSHSupport = true;
  };