Agent not working when specifying a non-standard home directory

Basic XP's Avatar

Basic XP

01 Nov, 2013 02:40 PM

I am having a problem with the GPG Agent not working when specifying a non-standard directory for gpg on command line.
Configuration files were copied over from ~/.gnupg. The program works properly without specifying a home directory. I am using a non-standard path to store my master secret key separately from the keychain that's going to be used daily.

Steps to reproduce:

  1. Run the following command:
    gpg --homedir="$(pwd)" --lock-never --no-permission-warning --expert --gen-key
    
  2. Input all the required parameters
  3. Attempt to generate a new key

Actual result:

An error occurs when the program tries to access the GPG Agent to securely request a password.

gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running

Expected result:

GPG Agent starts up, asks for a password, key generation completes successfully.

Attachments:

Снимок экрана 2013-11-01 в 18.19.48.png: error screenshot
gpg.conf: GnuPG configuration
gpg-agent.conf: GPG Agent configuration

Environment:

Mac OS X 10.9 build 13A603
GPG Tools: stable build from October, 22nd
GnuPG: 2.0.22
libgcrypt: 1.5.3

  1. 1 Posted by Basic XP on 02 Nov, 2013 11:00 AM

    Basic XP's Avatar

    This is what's output when GPG is run in verbose mode:

    gpg: no running gpg-agent - starting one
    gpg: waiting 5 seconds for the agent to come up
    gpg: can't connect to the agent: IPC connect call failed
    gpg: problem with the agent: No agent running
    gpg: no running gpg-agent - starting one
    gpg: waiting 5 seconds for the agent to come up
    gpg: can't connect to the agent: IPC connect call failed
    gpg: problem with the agent: No agent running
    gpg: Key generation canceled.
    

    Yet, if I run gpg-agent, it tells me that the agent is actually running:

    gpg-agent: gpg-agent running and available
    
  2. 2 Posted by Basic XP on 03 Nov, 2013 08:24 AM

    Basic XP's Avatar

    Same problem has been reported by someone on the gnupg-users maillist, but, sadly, there was no solution.
    http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044138.html

  3. Support Staff 3 Posted by Mento on 07 Nov, 2013 03:38 PM

    Mento's Avatar

    Try to start the gpg-agent using the following command:

    gpg-agent --homedir="$(pwd)" --daemon
    
  4. 4 Posted by Basic XP on 07 Nov, 2013 06:05 PM

    Basic XP's Avatar

    I thought the agent should start up automatically. Anyway, this made the situation better, but did not completely solve it. The location of the external keychain is on an exFAT TrueCrypt volume. This lead to two problems, only one of which I was able to solve:

    1. It can't create a socket file on such a file system. Got over this by telling GnuPG to use the /tmp folder instead, saving environment info in a file and then sourcing it in a script. Here's the script I'm using (I know, it's terribly inefficient, just a temporary solution, a better option is always welcome :D ):

      #!/bin/bash
      PWD=$(pwd)
      GPGAGENT_CMDLINE="gpg-agent --homedir ${PWD}"
      GPGAGENT_CMDLINE_FULL="$GPGAGENT_CMDLINE --daemon --no-use-standard-socket --write-env-file ${PWD}/gpg-agent.env"
      function gpa_pid() {
      echo $(ps x | grep -m1 "$GPGAGENT_CMDLINE" | grep -v grep | awk '{ print $1 }')
      }
      GPGAGENT_PID=$(gpa_pid)
      [ "$GPGAGENT_PID" == "" ] && $($GPGAGENT_CMDLINE_FULL)
      GPGAGENT_PID=$(gpa_pid)
      source ${PWD}/gpg-agent.env
      LANG=en gpg --homedir="${PWD}" --lock-never --no-permission-warning --expert $*
      kill $GPGAGENT_PID
      rm gpg-agent.env
      
    2. Even though the folder is writable and GnuPG automatically creates the pubring.gpg, secring.gpg and others, it can't write the key after it has been generated:

      gpg: no writable public keyring found: Unknown system error
      Key generation failed: Unknown system error
      
      No idea why this is happening, verbose mode doesn't provide any further information.
  5. Support Staff 5 Posted by Luke Le on 07 Nov, 2013 06:23 PM

    Luke Le's Avatar

    Hi Roman,

    ah, we've seen such a TrueCrypt setup before.
    With patched --no-use-standard-socket so it uses a socked in a fixed position in /tmp, so the whole --write-env thingy shouldn't be necessary.
    I think --lock-never should also not be necessary.
    Could you remove those options and re-try it without the wrapper script.

    Could you try creating a key and adding the option --status-fd 1
    This might reveal some more information on what's going wrong.

  6. 6 Posted by Basic XP on 07 Nov, 2013 06:50 PM

    Basic XP's Avatar

    Okay, so this is what I got now (started from scratch, removed all *.gpg files):

    basicxp@me665 /Volumes/Security/PGP % gpg-agent --homedir /Volumes/Security/PGP --daemon --no-use-standard-socket
    GPG_AGENT_INFO=/tmp/gpg-agent/basicxp/S.gpg-agent:2866:1; export GPG_AGENT_INFO;
    basicxp@me665 /Volumes/Security/PGP % LANG=en gpg --homedir /Volumes/Security/PGP --status-fd 1 -v --no-permission-warning --expert --gen-key
    gpg (GnuPG/MacGPG2) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    gpg: lock not made: link() failed: Operation not supported
    gpg: can't lock /Volumes/Security/PGP/secring.gpg'
    gpg: DBG: Oops,/Volumes/Security/PGP/secring.gpg.lock' is not locked
    gpg: keyblock resource /Volumes/Security/PGP/secring.gpg': General error
    gpg: lock not made: link() failed: Operation not supported
    gpg: can't lock/Volumes/Security/PGP/pubring.gpg'
    gpg: DBG: Oops, /Volumes/Security/PGP/pubring.gpg.lock' is not locked
    gpg: keyblock resource/Volumes/Security/PGP/pubring.gpg': General error
    Please select what kind of key you want:
    [--snip--]
    You need a Passphrase to protect your secret key.
    [GNUPG:] NEED_PASSPHRASE_SYM 9 3 10
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    [GNUPG:] PROGRESS primegen . 0 0
    [GNUPG:] PROGRESS primegen . 0 0
    [GNUPG:] PROGRESS primegen . 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen X 100 100
    [GNUPG:] PROGRESS primegen . 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen + 0 0
    [GNUPG:] PROGRESS primegen X 100 100
    gpg: writing self signature
    [GNUPG:] GOOD_PASSPHRASE
    gpg: RSA/SHA1 signature from: "0x0928ED8D [?]"
    gpg: no writable public keyring found: Unknown system error
    Key generation failed: Unknown system error
    [GNUPG:] ERROR key_generate 65535
    [GNUPG:] KEY_NOT_CREATED
    
    Seems that --lock-never is optional, it still proceeds without it, I just get lots of warnings in the beginning.
  7. Support Staff 7 Posted by Luke Le on 19 Nov, 2013 06:15 PM

    Luke Le's Avatar

    Hi Roman,

    the problem here is that the usb/external drive you're using is probably not HFS+ formatted. In that case the link command doesn't work, which is used by gpg when locking a file.

    Unfortunately there is little we can do about this at the time, but we'll look into it.
    I've created a ticket for this problem where you can track progress:
    http://gpgtools.lighthouseapp.com/projects/66001/tickets/126

  8. 8 Posted by Basic XP on 20 Nov, 2013 04:55 PM

    Basic XP's Avatar

    It is, as I mentioned above, indeed not HFS+ formatted, it's exFAT. But why is it trying to lock the file even when I explicitly tell it not to?

  9. Support Staff 9 Posted by Steve on 29 Dec, 2013 10:21 PM

    Steve's Avatar

    Roman, we'll look into this. Sorry we don't have any results yet.

    I'm closing this discussion. It will be re-opened as soon as anything related to the ticket Luke mentioned.

    steve

  10. Steve closed this discussion on 29 Dec, 2013 10:21 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac