355879 – sys-fs/cryptsetup - GPG_TTY var must be set for pinentry-ncurses to work

Bug 355879 - sys-fs/cryptsetup - GPG_TTY var must be set for pinentry-ncurses to work

Summary: sys-fs/cryptsetup - GPG_TTY var must be set for pinentry-ncurses to work

Status:	RESOLVED NEEDINFO

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-21 17:53 UTC by Timm Murray
Modified:	2012-12-22 00:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timm Murray 2011-02-21 17:53:27 UTC

Recent versions of GnuPG use pinentry to grab a passphrase from the user.  The pinentry program has versions for ncurses, qt4, and gtk.  However, at startup, even ncurses may not work. If you have a dmcrypt mapping using an encrypted gpg key, it won't ask for the passphrase at startup.

According to the "Common Problems" page in the GnuPG docs (http://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html), the GPG_TTY var must be set for pinentry-ncurses to work. Alternatively, the --pinentry-program option could be used for a custom, pure console version of pinentry.

Reproducible: Always

Steps to Reproduce:
1. Create an encrypted gpg key for the filesystem:

$ dd if=/dev/random count=1 | gpg --symmetric -a > /fs_key.gpg

2. Setup a dmcrypt mapping in /etc/conf.d/dmcrypt using a GnuPG key. Example:

target=crypt-fs
source=/dev/sda5
key='/fs_key.gpg:gpg'

3. Reboot.  Will not setup /dev/mapping/crypt-fs as expected.

Comment 1 SpanKY gentoo-dev

2011-02-22 20:44:39 UTC

ive never needed to set GPG_TTY and thinks work fine for me.  further, the FAQ you reference does not say it must be set.  it only says "GPG_TTY has not been set correctly".  that means "if it is set, it must be set to a valid value".

Comment 2 Timm Murray 2011-02-22 21:01:39 UTC

The GPG_TTY var has to be set for pinentry-curses to work, period. I can replicate that much without having to reboot:

$ export | grep GPG_TTY
$ dd if=/dev/random count=1 | gpg --symmetric -a 
0+1 records in
0+1 records out
128 bytes (128 B) copied, 0.000999918 s, 128 kB/s
pinentry-curses: no LC_CTYPE known - assuming UTF-8
                                                   pinentry-curses: no LC_CTYPE known - assuming UTF-8
                      pinentry-curses: no LC_CTYPE known - assuming UTF-8
                                                                         pinentry-curses: no LC_CTYPE known - assuming UTF-8

*** HIT CTL-C ***

gpg: signal Interrupt caught ... exiting

$ export GPG_TTY=`tty`
$ dd if=/dev/random count=1 | gpg --symmetric -a 
0+1 records in
0+1 records out
128 bytes (128 B) copied, 0 s, Infinity B/s

*** NCURSES POPUP FOR PASSPHRASE ***

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (GNU/Linux)

jA0EAwMCyZtzftf0jqzOyZkeCR+qciFRk429dbg71NIGfaimcukaXjUiaCugT3Hn
hUlnbdxwqVPoOgXdmxCOogrCFrwyDxO8I3OCvXp0pH+cBjo/I71yViC17gy1W42j
4n4IQJHrnMcfO+jFDDeFJ6lX5TP1aEIKAIvW24+NIuYTmgf9sqOVepz2gsxJqE2p
k3ur+7I9wT6KRjNBnXkTsmkRXSNBkrUDEjw=
=DoKZ
-----END PGP MESSAGE-----

Comment 3 SpanKY gentoo-dev

2011-02-22 23:40:04 UTC

how is your example relevant ?  you're taking over the stdin of gpg with that pipe which is not what the cryptsetup startup code does.

Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev

2012-12-15 23:47:13 UTC

Timm:

If you add GPG_TTY="$(tty)" on same line(162) when gpg is executed at /etc/init.d/dmcrypt, does it work for you?

It should detect the tty automatically as stdin is not redirected to any place... just want to be sure.

Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev

2012-12-22 00:57:11 UTC

Hi Timm,

Please reopen if you have more details.

Thanks,