View previous topic :: View next topic |
Author |
Message |
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Sat Jan 19, 2019 9:44 pm Post subject: Trying to make a pinentry switcher through an env variable |
|
|
Hey everyone,
I'm trying to make a rofi pinentry script but I seem to be running into some trouble.
I can't seem to find the answers online and was hoping someone here may know a bit about this topic.
First I'm trying to build a pinentry toggle which changes which pinentry it uses based on an environment variable.
I want it to not always use the rofi-pinentry script and only certain scripts should use it.
This stackexchange post mentions thats its possible with a script that they provide.
For now I modified the script to work with the gentoo symlink for pinentry so it looks something like this.
Code: |
#!/bin/sh
# choose pinentry depending on PINENTRY_USER_DATA
# this *only works* with gpg 2
# see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802020
case $PINENTRY_USER_DATA in
qt)
exec /usr/bin/pinentry-qt4 "$@"
;;
none)
exit 1 # do not ask for passphrase
;;
*)
exec /usr/bin/pinentry "$@"
;;
esac
|
So this checks $PINENTRY_USER_DATA to see which pinentry to use.
For now, this script should switch between using tty (what I have eselect set to) and pinentry-qt4.
However this doesn't seem to work when I run the program passwordstore, I get gpg:decryption failed: no secret key
Note, I also do have pinentry-program option set in gpg-agent.conf to use this script.
Thanks,
zamlz _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Sat Jan 19, 2019 11:13 pm Post subject: |
|
|
Add the line below to your pinentry script, just before the case statement:
Code: | echo "PINENTRY_USER_DATA=<${PINENTRY_USER_DATA}>, options=<$@>" >>/tmp/pinentry.log
|
Run passwordstore once and post the contents of the file /tmp/pinentry.log. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Sat Jan 19, 2019 11:38 pm Post subject: |
|
|
mike155 wrote: | Add the line below to your pinentry script, just before the case statement:
Code: | echo "PINENTRY_USER_DATA=<${PINENTRY_USER_DATA}>, options=<$@>" >>/tmp/pinentry.log
|
Run passwordstore once and post the contents of the file /tmp/pinentry.log. |
Unfortunately, that file isn't even being created O_O
I double checked and made sure that the following line was there.
Code: | pinentry-program ~/lib/rofi/pinentry-toggler.sh |
Furthermore, I can manually run the the script and it seem to work (i can call GETPIN, etc).
I'm really confused why password store seems to be having trouble here.
EDIT: Just tested editing my gpg key since it also uses pinentry. Turns out that doesn't work either. Guess its not a problem with password store but gnupg? _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Sat Jan 19, 2019 11:58 pm Post subject: |
|
|
Run passwordstore with strace
Code: | strace -f -o /tmp/strace.log passwordstore
|
Look at /tmp/strace.log and try to find out what passwordstore did. Search for 'exec'. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23030
|
Posted: Sun Jan 20, 2019 12:12 am Post subject: |
|
|
Does the program actually understand expanding ~ to a home directory? Your shell handles that in interactive mode. This tool may be treating that as a literal path, which would then fail. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Sun Jan 20, 2019 1:58 am Post subject: |
|
|
Hu wrote: | Does the program actually understand expanding ~ to a home directory? Your shell handles that in interactive mode. This tool may be treating that as a literal path, which would then fail. |
WOW. I feel really dumb now lol. Thanks for the help though, that made the script work. I can now switch between qt and tty.
Now I need to figure out whats wrong with my rofi pinentry script.
Should I make a new forum post for that or continue it here? _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23030
|
Posted: Sun Jan 20, 2019 1:59 am Post subject: |
|
|
Here is fine. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Sun Jan 20, 2019 2:27 am Post subject: |
|
|
Alright so remember the script I posted a couple posts ago?
I've added an option for my rofi script.
Code: | #!/bin/sh
# choose pinentry depending on PINENTRY_USER_DATA
# this *only works* with gpg 2
# see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802020
echo "PINENTRY_USER_DATA=<${PINENTRY_USER_DATA}>, options=<$@>" >> \
/tmp/pinentry.log
case $PINENTRY_USER_DATA in
qt)
exec /usr/bin/pinentry-qt4 "$@"
;;
rofi)
exec $HOME/lib/rofi/pinentry-rofi "$@"
;;
none)
exit 1 # do not ask for passphrase
;;
*)
exec /usr/bin/pinentry "$@"
;;
esac |
when I set the variable to rofi, password store hangs. It doesn't actually output anything. I imagine for this I should use the strace command.
Here is the details of the pinentry-rofi script.
Code: | #!/bin/sh
rofi="rofi -dmenu -input /dev/null -password -lines 0"
echo "OK Please go ahead"
while read cmd rest; do
if [ -z "$cmd" ]; then
continue;
fi
case "$cmd" in
\#*)
echo "OK"
;;
GETINFO)
case "$rest" in
flavor)
echo "D qt"
;;
pid)
echo "D $$"
;;
esac
;;
SETDESC)
rofi="$rofi -mesg '$rest'"
echo "OK"
;;
SETPROMPT)
rofi="$rofi -p $rest"
echo "OK"
;;
GETPIN)
_PP=$($rofi)
if [ -z "$_PP" ]; then
echo "ERR 83886179 Operation cancelled <rofi>"
else
echo "D $_PP"
fi
;;
BYE)
echo "OK"
exit 0
;;
*)
echo "OK"
;;
esac
done
|
_________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Sun Jan 20, 2019 2:48 am Post subject: |
|
|
Add some 'echo' statements to your script and try to understand what happens:
after line 3 ('rofi='):
Code: | echo "pinentry-rofi started" >>/tmp/pinentry-rofi.log |
after 'while read cmd rest; do ':
Code: | echo "cmd=${cmd}" >>/tmp/pinentry-rofi.log |
after 'GETPIN)'
Code: | echo "GETPIN, calling rofi: ${rofi}" >>/tmp/pinentry-rofi.log |
after 'BYE)'
Code: | echo "BYE, exiting" >>/tmp/pinentry-rofi.log |
after the last line:
Code: | echo "EOF, exiting" >>/tmp/pinentry-rofi.log |
Then run passwordstore and post the file /tmp/pinentry-rofi.log. WARNING: before you post the file, look at it and replace sensitive data like usernames or passwords with XXXXXX! |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Jan 21, 2019 12:14 am Post subject: |
|
|
Alright I've done what you've requested and here are the results.
Code: | pinentry-rofi started
cmd=OPTION pinentry-user-data=rofi
cmd=OPTION no-grab
cmd=OPTION ttyname=/dev/pts/0
cmd=OPTION ttytype=xterm-256color
cmd=OPTION lc-ctype=en_US.utf8
cmd=OPTION lc-messages=en_US.utf8
cmd=OPTION allow-external-password-cache
cmd=OPTION default-ok=_OK
cmd=OPTION default-cancel=_Cancel
cmd=OPTION default-yes=_Yes
cmd=OPTION default-no=_No
cmd=OPTION default-prompt=PIN:
cmd=OPTION default-pwmngr=_Save in password manager
cmd=OPTION default-cf-visi=Do you really want to make your passphrase visible on the screen?
cmd=OPTION default-tt-visi=Make passphrase visible
cmd=OPTION default-tt-hide=Hide passphrase
cmd=OPTION touch-file=/run/user/1000/gnupg/S.gpg-agent
cmd=OPTION owner=30149 andromeda
cmd=GETINFO flavor |
It seems its just hanging at the GETINFO flavor command.
For that I am returning qt (no particular reason why). Should I not be doing that?
EDIT: I've tried with other flavors names (including rofi) and also removing the option for flavor. I don't see any changes in it's behavior. _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Jan 21, 2019 12:49 am Post subject: |
|
|
The input field separator is wrong.
1) Replace the line
Code: | echo "cmd=${cmd}" >>/tmp/pinentry-rofi.log
| with
Code: | echo "cmd=<${cmd}>, rest=<${rest}>" >>/tmp/pinentry-rofi.log |
an re-run your program. You will see that the whole line is stored to cmd, and that variable rest is empty.
2) In order to fix that, add the line below after line 2
Please remove /tmp/pinentry-rofi.log, rerun the program and post the output. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Jan 21, 2019 1:26 am Post subject: |
|
|
I should have mentioned that I took some creative liberties in your instructions earlier.
I made,
Code: | echo "cmd=${cmd}" >>/tmp/pinentry-rofi.log |
into
Code: | echo "cmd=${cmd} ${rest}" >>/tmp/pinentry-rofi.log |
But I still had hope and tried your new edit as well.
Code: | echo "cmd=<${cmd}>, rest=<${rest}>" >>/tmp/pinentry-rofi.log |
Unfortunately, it is correctly being stored in the $rest variable.
Code: | pinentry-rofi started
cmd=<OPTION> rest=<pinentry-user-data=rofi>
cmd=<OPTION> rest=<no-grab>
cmd=<OPTION> rest=<ttyname=/dev/pts/0>
cmd=<OPTION> rest=<ttytype=xterm-256color>
cmd=<OPTION> rest=<lc-ctype=en_US.utf8>
cmd=<OPTION> rest=<lc-messages=en_US.utf8>
cmd=<OPTION> rest=<allow-external-password-cache>
cmd=<OPTION> rest=<default-ok=_OK>
cmd=<OPTION> rest=<default-cancel=_Cancel>
cmd=<OPTION> rest=<default-yes=_Yes>
cmd=<OPTION> rest=<default-no=_No>
cmd=<OPTION> rest=<default-prompt=PIN:>
cmd=<OPTION> rest=<default-pwmngr=_Save in password manager>
cmd=<OPTION> rest=<default-cf-visi=Do you really want to make your passphrase visible o
cmd=<OPTION> rest=<default-tt-visi=Make passphrase visible>
cmd=<OPTION> rest=<default-tt-hide=Hide passphrase>
cmd=<OPTION> rest=<touch-file=/run/user/1000/gnupg/S.gpg-agent>
cmd=<OPTION> rest=<owner=11201 andromeda>
cmd=<GETINFO> rest=<flavor>
|
EDIT: OMG I figured it out. I wasn't printing OK on a newline after printing the flavor.
Odd, since the ruby script I was basing this on didn't do it either? In any case, It seems I'm onto something now. Its stuck on another GETINFO so now I just need to implement whatever the program wants.
I hope that'll fix it. I'll come back if anything new comes up.
Thanks for all the help so far! _________________ AI/ML/Robotics/Linux - zamlz
Last edited by zamlz on Mon Jan 21, 2019 1:31 am; edited 1 time in total |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23030
|
Posted: Mon Jan 21, 2019 1:27 am Post subject: |
|
|
As a general tip, you should handle unexpected input values. In this case, if flavor is not on your expected list, you ignore the inquiry and do not send anything back to the peer. You should at least log it as an unexpected event, and if possible, respond to it. The appropriate response varies, but could be to send an error report back or to exit your script with an error status. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Jan 21, 2019 2:18 am Post subject: |
|
|
alright I'm back again with some more weird stuff. Heres the current output.
Code: | pinentry-rofi started
cmd=<OPTION> rest=<pinentry-user-data=rofi>
cmd=<OPTION> rest=<no-grab>
cmd=<OPTION> rest=<ttyname=/dev/pts/0>
cmd=<OPTION> rest=<ttytype=xterm-256color>
cmd=<OPTION> rest=<lc-ctype=en_US.utf8>
cmd=<OPTION> rest=<lc-messages=en_US.utf8>
cmd=<OPTION> rest=<allow-external-password-cache>
cmd=<OPTION> rest=<default-ok=_OK>
cmd=<OPTION> rest=<default-cancel=_Cancel>
cmd=<OPTION> rest=<default-yes=_Yes>
cmd=<OPTION> rest=<default-no=_No>
cmd=<OPTION> rest=<default-prompt=PIN:>
cmd=<OPTION> rest=<default-pwmngr=_Save in password manager>
cmd=<OPTION> rest=<default-cf-visi=Do you really want to make your passphrase visible on the screen?>
cmd=<OPTION> rest=<default-tt-visi=Make passphrase visible>
cmd=<OPTION> rest=<default-tt-hide=Hide passphrase>
cmd=<OPTION> rest=<touch-file=/run/user/1000/gnupg/S.gpg-agent>
cmd=<OPTION> rest=<owner=22443 andromeda>
cmd=<GETINFO> rest=<flavor>
cmd=<GETINFO> rest=<version>
cmd=<GETINFO> rest=<ttyinfo>
cmd=<GETINFO> rest=<pid>
cmd=<SETKEYINFO> rest=<n/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
cmd=<SETDESC> rest=<Please enter the passphrase to unlock the OpenPGP secret key XXX XXX XXX XXX>
cmd=<SETPROMPT> rest=<Passphrase:>
cmd=<GETPIN> rest=<>
GETPIN, calling rofi: rofi -dmenu -input /dev/null -password -lines 0 -p Passphrase
cmd=<BYE> rest=<>
BYE, exiting |
It doesn't even manage to open up rofi, but it gets through the whole script (weird).
Password store doesn't hang anymore, but instead I get this message printed to stdout
Code: | gpg: decryption failed: No secret key |
I tried running just the rofi command that it produced to make sure there were no errors and it seems to work fine.
Code: | rofi -dmenu -input /dev/null -password -lines 0 -p Passphrase |
Secondly, I tried running the pinentry-rofi program manually and entered the same commands to see if it worked and it did and it opened up rofi correctly.
So not sure why its not working with password store here. _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Jan 21, 2019 3:37 am Post subject: |
|
|
1) Add the directory in which the rofi executable is installed to line 3 (I assume it's /usr/bin - change it if rofi is installed in a different directory)
Code: | rofi="/usr/bin/rofi -dmenu -input /dev/null -password -lines 0"
|
2) Your script won't work if the prompt or the description contains spaces or special characters. The generated rofi statement would look like:
Code: | /usr/bin/rofi -dmenu -input /dev/null -password -lines 0 -p this $is my prompt |
Do you see the problem? Modify your script so that the parameters added to variable 'rofi' after SETDESC) and SETPROMPT) will be surrounded by quotes:
Code: | /usr/bin/rofi -dmenu -input /dev/null -password -lines 0 -p 'this $is my prompt' |
While you're at it: what will happen if the calling program sends 2 SETPROMPT or SETDESC requests?
3) Add the line below directly after the rofi call ( _PP=$($rofi) ):
Code: | echo "rofi return values: ERC=<$?>, _PP=<${_PP}>" >>/tmp/pinentry-rofi.log |
It will write the error return code and the passphrase to the log file. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Jan 21, 2019 5:21 am Post subject: |
|
|
Alright I've done all the suggestions you've asked and here is the output.
Oh I also added a line to see if rofi prints anything useful as well, it turns out it does.
Code: | _PP=$( $rofi >> /tmp/pinentry-rofi.log 2>&1 ) |
Code: | pinentry-rofi started
cmd=<OPTION> rest=<pinentry-user-data=rofi>
cmd=<OPTION> rest=<no-grab>
cmd=<OPTION> rest=<ttyname=/dev/pts/2>
cmd=<OPTION> rest=<ttytype=xterm-256color>
cmd=<OPTION> rest=<lc-ctype=en_US.utf8>
cmd=<OPTION> rest=<lc-messages=en_US.utf8>
cmd=<OPTION> rest=<allow-external-password-cache>
cmd=<OPTION> rest=<default-ok=_OK>
cmd=<OPTION> rest=<default-cancel=_Cancel>
cmd=<OPTION> rest=<default-yes=_Yes>
cmd=<OPTION> rest=<default-no=_No>
cmd=<OPTION> rest=<default-prompt=PIN:>
cmd=<OPTION> rest=<default-pwmngr=_Save in password manager>
cmd=<OPTION> rest=<default-cf-visi=Do you really want to make your passphrase visible on the screen?>
cmd=<OPTION> rest=<default-tt-visi=Make passphrase visible>
cmd=<OPTION> rest=<default-tt-hide=Hide passphrase>
cmd=<OPTION> rest=<touch-file=/run/user/1000/gnupg/S.gpg-agent>
cmd=<OPTION> rest=<owner=2054 andromeda>
cmd=<GETINFO> rest=<flavor>
cmd=<GETINFO> rest=<version>
cmd=<GETINFO> rest=<ttyinfo>
cmd=<GETINFO> rest=<pid>
cmd=<SETKEYINFO> rest=<n/XXXXX>
cmd=<SETDESC> rest=<Please enter the passphrase to unlock the OpenPGP secret key:XXXXXXXX>
cmd=<SETPROMPT> rest=<Passphrase:>
cmd=<GETPIN> rest=<>
GETPIN, calling rofi: /usr/bin/rofi -dmenu -input /dev/null -password -lines 0 -p 'Passphrase'
(process:2067): X11Helper-WARNING **: 21:14:45.761: Failed to open display: (null)
(process:2067): Rofi-WARNING **: 21:14:45.761: Connection has error
ROFI : ERC=<1>, _PP=<>
cmd=<BYE> rest=<>
BYE, exiting |
It seems like rofi is having trouble finding the display. So this is easy to fix if I just write this in the script.
Code: | export DISPLAY=":0" |
But that is in no way a good solution. Is there a command that can give me the display value? _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Jan 21, 2019 11:23 am Post subject: |
|
|
1) For educational purposes:
Add the lines below to your script, just in front of the first echo statement
Code: | echo "----- set -------" >>/tmp/pinentry.log
set >>/tmp/pinentry.log
echo "----- export ----" >>/tmp/pinentry.log
export >>/tmp/pinentry.log
echo "------------" >>/tmp/pinentry.log |
remove /tmp/pinentry.log, run your script manually and copy /tmp/pinentry.log to /tmp/a.
remove /tmp/pinentry.log, run passwordstore and copy /tmp/pinentry.log to /tmp/b.
Use an editor or a diff tool (diff or diffuse) and compare /tmp/a and /tmp/b. Do you see the difference between a and b? Look especially at PATH and DISPLAY. Is DISPLAY really missing in /tmp/b?
2) I would try to find out why the DISPLAY environment variable isn't defined when the script is called from passwordstore.
I'm not aware of a trick that can recover a missing DISPLAY environment variable. As a workaround, you could add the code below to your script
Code: | if test -z "${DISPLAY}"
then
DISPLAY=":0"
export DISPLAY
fi
|
But it's important to find out where and why the DISPLAY environment variable gets lost. |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Mon Jan 21, 2019 9:22 pm Post subject: |
|
|
Wow alright thats intersting. So script A does has the DISPLAY variable set (makes sense as Im just running the script from my shell).
Script B does not and ts probably for the this reason.
The way I'm running my rofi-pass is through a keybind in my window manager.
Also all my exports and PATH variables are all messed up which makes sense since they come from zsh.
Intersting...
In any case, Thank you so much for all the help mike155!
I owe you a beer! _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
zamlz n00b
Joined: 22 Jul 2017 Posts: 42
|
Posted: Fri Feb 01, 2019 6:29 am Post subject: |
|
|
Alright so I found out that it turns out this may not work as planned.
On an Ubuntu system I use, it turns out the display variable is set to ":1"
For now, my fix is,
Code: | if [ -z "${DISPLAY}" ]; then
if [ -n "$(uname -v | grep -i "UBUNTU")" ]; then
export DISPLAY=":1"
else
export DISPLAY=":0"
fi
fi |
There has to be a cleaner solution. This one just urks me the wrong way. _________________ AI/ML/Robotics/Linux - zamlz |
|
Back to top |
|
|
|