Linux: pass show not showing the secret
Amit Saha
amitsaha.in at gmail.com
Sun Nov 7 00:30:34 UTC 2021
On Sun, Nov 7, 2021 at 10:50 AM Lee Ball <lee at leeball.dev> wrote:
>
> Sorry to spam you here Amit- I forgot to put the list on the To: line in
> case the info is helpful to anyone else:
All good, thanks for sharing the tips. This is what I have now.
My Gpg agent is running via a systemd user service:
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket
[Service]
ExecStart=/usr/bin/gpg-agent --supervised --debug-all
ExecReload=/usr/bin/gpgconf --reload gpg-agent
My config files:
$ cat ~/.gnupg/gpg.conf
# pinentry-mode loopback
(I had to comment that out since otherwise "pass" gives this error:
gpg: Sorry, we are in batchmode - can't get input)
My gpg-agent.conf is now:
$ cat ~/.gnupg/gpg-agent.conf
debug 1024
debug-level advanced
debug-pinentry
pinentry-program /usr/bin/pinentry-curses
log-file gpg-agent.log
display :0
When I do a "pass show <password>", it asks me for the passphrase, if
i enter the wrong pass phrase, it does come back with an error saying
bad passphrase.
So it seems to me that the gpg decryption is happening, but then
something is getting lost.
If i look at the gpg-agent.log file (after i have once successfully
entered my pass phrase), i see this when i do a "pass show
<password>":
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK Pleased to meet
you, process 2671
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- RESET
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION ttyname=/dev/pts/1
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION
ttytype=xterm-256color
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION display=:0.0
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION
xauthority=/home/echorand/.Xauthority
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION
putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION lc-ctype=en_AU.UTF-8
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION
lc-messages=en_AU.UTF-8
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- GETINFO version
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> D 2.2.19
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION allow-pinentry-notify
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- OPTION agent-awareness=2.1.0
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- HAVEKEY <KEY ID>
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- HAVEKEY <KEY ID>
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- HAVEKEY <KEY ID>
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- RESET
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- SETKEY <KEY ID>
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- SETKEYDESC
Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Amit+Saha+<amitsaha.in at gmail.com>%22%0A256-bit+ECDH+key,+ID+2936DD677ED4C323,%0Acreated+2021-10-02+(main+key+ID+2A18534CA9B35D2B).%0A
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- PKDECRYPT
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> S INQUIRE_MAXLEN 4096
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 -> INQUIRE CIPHERTEXT
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- [ 44 20 28 37 3a
65 6e 63 2d 76 61 6c 28 34 3a 65 ...(105 byte(s) skipped) ]
2021-11-07 11:28:28 gpg-agent[2614] DBG: chan_10 <- END
2021-11-07 11:28:29 gpg-agent[2614] DBG: chan_10 -> [ 44 20 28 35 3a
76 61 6c 75 65 33 33 3a 40 8b 7a ...(31 byte(s) skipped) ]
2021-11-07 11:28:29 gpg-agent[2614] DBG: chan_10 -> OK
2021-11-07 11:28:29 gpg-agent[2614] DBG: chan_10 <- [eof]
Appreciate any further debugging tips.
Thanks,
Amit.
>
> ---
>
> > Oh, I forgot to mention in my previous email-- here's a list of the
> > gpg-agent options:
> >
> > https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
> >
> > And you can reload your gpg agent to pick up new configs with:
> >
> > $ gpg-connect-agent reloadagent /bye
> >
> > All the best,
> > Cat Lee Ball
> >
> >
> > On 11/6/21 4:41 PM, Lee Ball wrote:
> >> Hi Amit,
> >>
> >>
> >> To get a little more debug info, you might want to try adding debug
> >> flags to gpg-agent. Usually, those live in ~/.gnupg/gpg-agent.conf
> >>
> >> You could try something like:
> >>
> >>
> >> $ cat ~/.gnupg/gpg-agent.conf
> >> debug 1024
> >> debug-level advanced
> >> debug-pinentry
> >>
> >>
> >> One wild guess is that maybe the pinentry prompt isn't spawning. You
> >> can tell it to use a specific pinentry program in your gpg-agent.conf
> >> too.
> >>
> >>
> >> $ cat ~/.gnupg/gpg-agent.conf
> >> pinentry-program /usr/bin/pinentry-curses
> >>
> >>
> >> Make sure you have pinentry-curses installed first if you copy the
> >> above line verbatim. :)
> >>
> >>
> >> Wishing you luck!
> >> Cat Lee Ball
>
> ---
>
> All the best,
> Cat Lee Ball
>
>
> On 11/6/21 4:37 PM, Amit Saha wrote:
> > On Sun, Nov 7, 2021 at 10:13 AM Amit Saha <amitsaha.in at gmail.com> wrote:
> >>
> >> Hi all, a fairly new user of pass. I am using a git store for my
> >> passwords. I started using MacOS and have been using it on a single
> >> computer.
> >>
> >> Now, I have set pass up on a second system (Linux), and using the
> >> 1.7.3 version on Ubuntu, when I do "pass show" one of the existing
> >> passwords, the Gpg dialog pops up, I put in the password, then there
> >> is no output. However, I can "pass insert" a new password on the same
> >> system, and then "pass show" shows the secret.
> >>
> >> I can go back to the other computer, and I can see the secret I
> >> created on the Linux system.
> >>
> >> I have used my existing gpg keys to encrypt and decrypt a file successfully.
> >>
> >>
> >> Not sure how to best debug. Any suggestions would be helpful.
> >
> > I tried using --clip:
> >
> > $ pass show --clip <pass word name>
> > There is no password to put on the clipboard at line 1.
> >
> > So, I suppose the decryption process is not working?
> >
> >
> >>
> >> Thanks,
> >> Amit.
More information about the Password-Store
mailing list