Ubuntu – GPG/Agent does not ask for password

encryptionenigmailgnomegnupgthunderbird

I'm a bit frustrated by my Ubuntu (17.04) Setup with Enigmail 1.9.7/GPG 2.1.15. I think after changing from Ubuntu/Unity to Ubuntu GNOME (but I really don't know if that was the trigger), Enigmail stopped working: I can't decrypt incoming encrypted emails any more. I am not asked for my GPG key password, pinentry (despite generally working in tests) skips prompting for the password and gpg-agent just tells me that there was no password given.

Thunderbird/Enigmail tells me "Missing Passphrase", that's where I started. I then debugged the problem down as far as I could, using this link, the official Enigmail troubleshooting guide and many, many more links and guides.

I CAN sign mails (sent to myself as test), verifying them is no problem within Thunderbird.
I can send encrypted Mails to myself; the received Mail has a info from Enigmail that the passphrase is missing:
All the pinentry tests from the Enigmail troubleshooting guide are ok, I see the GNOME styled pinentry dialog.
My ~/.gnupg/gpg.conf contains a `use-agent' line (even if that is not needed any more in GPG 2.1)
My ~/.gnupg/gpg-agent.conf contains a line pinentry-program /usr/bin/pinentry-gnome3 – even pinentry-program /usr/bin/pinentry works here, as it automatically detects the DISPLAY/x11/GNOME it seems.

I've started a gpg-agent using gpg-agent --debug-level expert --daemon /bin/sh, logging all gpg agent activities, which outputs while trying to decrypt:

gpg-agent[22794]: DBG: chan_4 -> INQUIRE PINENTRY_LAUNCHED 22797
gpg-agent[22794]: DBG: chan_4 <- END
gpg-agent[22794]: DBG: error calling pinentry: No passphrase given <GPG Agent>
gpg-agent[22794]: failed to unprotect the secret key: No passphrase given
gpg-agent[22794]: failed to read the secret key
gpg-agent[22794]: command 'PKDECRYPT' failed: No passphrase given
gpg-agent[22794]: DBG: chan_4 -> ERR 67109041 No passphrase given <GPG Agent>
gpg-agent[22794]: DBG: chan_4 <- [eof]

If I save the encrypted mail to an eml file and do a gpg -d file.eml manually. Same result as before:

$ gpg -d FM.eml 
gpg: encrypted with 4096-bit RSA key, ID XXXXXXXXXXXXXXXX, created XXXX-XX-XX
      "Christian Gonzalez <xxxxxxx.xxxxxxxxx@xxxx.xxx>"
gpg: public key decryption failed: No passphrase given
gpg: decryption failed: No secret key

Editing ~/.gnupg/gpg.conf and removing the line

default-key XXXXXXXXXXXXX

did help in the first place, but after a system restart, the old problem returned.

Does anyone have a hint for me?

Maybe it has to do with Ubuntu's "peculiarity" in using Gnome-Keyring as agent? Is that true?

Best Answer

I had the same issue.

I removed the default pinentry package, namely pinentry-gnome3, and installed pinentry-qt instead, and now enigma does prompt me for the pass. I hope it works for you.

Related Solutions

Ubuntu – PGP Enigmail Problem, can no longer decrypt or sign the own messages

I had this problem on OSX with gpg v2 and fixed it by installing gpg v1 alongside it. Not sure if this is applicable to Ubuntu.

Ubuntu – Enigmail not asking for pgp passphrase but saying no key available

Try this: https://www.enigmail.net/support/gnupg2_issues.php In my case, I need install a grafical version of pinentry (pinentry-qt4 package).

"Resolving issues with GnuPG 2.x and gpg-agent

Note GnuPG 2.x requires an "agent" to handle passphrases. By default this is done by gpg-agent, but there are other tools implementing a subset of its functionality. These instructions are for gpg-agent only. If you use an agent like gnome-keyring, seahorse-agent or the KDE Wallet Manager, then these instructions don't apply. Most common Problem

Symptoms

The most common issue is that gpg-agent (a part of GnuPG) cannot launch pinentry (the tool used to query your passphrase). Enigmail would display messages like:

when reading messages:
Error - no matching private/secret key found to decrypt message; click on 'Details' button for more information

when sending messages:
- Send operation aborted. Error - encryption command failed
- Send operation aborted. Key 0x....... not found or not valid. The (sub-)key might have expired

How to Analyze

Try sending a signed and unencrypted message to yourself.
Check the output in the Enimgail log: go to menu Enigmail > Debugging Options > View Log.
Search for the following text: parseErrorOutput: status message. You will probably find this message several times. Check what follows below.
If the message says something like "no pinentry", "problem with the agent", "Invalid IPC response" or "problem with gpg-agent", then there is something wrong with your gpg-agent and/or pinentry setup.

How to Fix it

Execute the following script from a terminal to find out if a graphical version of pinentry is used:

pinentry <<EOT
SETDESC Hello World
CONFIRM
EOT

You should get a graphical window with a confirmation message "Hello World". If a "window" is opened within your terminal window then pinentry is text-based, which does not work with Enigmail. To fix this, ensure that a graphical version of pinentry is installed. On Linux/Unix systems, these would typically be pinentry-qt/pinentry-qt4 or pinentry-gtk/pinentry-gtk2, and on Mac OS X pinentry-mac. Rename the existing pinentry file to "pinentry-text" or similar, and create a symlink from pinentry-qt, pinentry-qt4, pinentry-gtk, pinentry-gtk2 or pinentry-mac to pinentry. Then restart your PC.

If the above does not help, check the contents of $HOME/.gnupg/gpg-agent.conf. Make sure that there is a configuration entry pinentry-program containing the full path to a graphical version of pinentry as above. E.g.:

pinentry-program /usr/local/bin/pinentry-gtk

Then save the file and restart your PC.

If you still can't access your key, then execute the following script from a terminal:

gpg-connect-agent <<EOT
GETINFO version
EOT

The output should be something like the text below, where 2.0.26 represents the agent version number. The version number should match your gpg version number:

D 2.0.26
OK

If you get an error message like "ERR 280 not implemented" then you don't use gpg-agent, but one of the alternatives like gnome-keyring. We recommend you switch to gpg-agent by disabling your current agent. See e.g. askubuntu for how to disable gnome-keyring or how to disable KDE wallet.

If you get a useful result from above, then execute the following script from a terminal:

gpg-connect-agent <<EOT
GET_CONFIRMATION Hello
EOT

Pinentry should now open as a graphical window (just like above), with the difference to the step above that this instance of pinentry was launched from gpg-agent. If this is successful, then GnuPG 2 should work correctly in Enigmail.

If gpg-agent still cannot launch pinentry from Enigmail, then you need to start debugging gpg-agent. Execute the following commands from a terminal:

killall gpg-agent
gpg-agent --debug-level expert --use-standard-socket --daemon /bin/sh

This will start gpg-agent from the command line, open a new shell and print the debug output to that shell. If the command succeeded, you will see somehting like:
gpg-agent[76979]: gpg-agent 2.0.26 started
Leave the terminal window untouched, start Thunderbird and try to use Enigmail. As you'll try to access gpg-agent, you will see the output in your terminal window. If gpg-agent cannot start pinentry successfully, you will see something like this:

gpg-agent[76993]: starting a new PIN Entry
gpg-agent[76993]: chan_19 <- ERR 67109133 can't exec `/usr/bin/pinentry': No such file or directory
gpg-agent[76993]: chan_19 -> BYE
gpg-agent[76993]: can't connect to the PIN entry module: IPC connect call failed
gpg-agent[76993]: command get_passphrase failed: No pinentry

Press Ctrl+D in the terminal to end the debugging session. The bold line should tell you the reason for the error (in the example above, pinentry cannot be found). Try to fix the error and repeat the test."

Best Answer

Related Solutions

Ubuntu – PGP Enigmail Problem, can no longer decrypt or sign the own messages

Ubuntu – Enigmail not asking for pgp passphrase but saying no key available

Related Question