Opened 15 years ago

Closed 15 years ago

Last modified 6 years ago

#28 closed defect (fixed)

samhainadmin.pl fails at line 453

Reported by: anonymous Owned by: rainer
Priority: major Milestone: 2.2.3
Component: main Version: 2.2.2
Keywords: Cc:

Description

I am using gpg 1.4.2.2 and it returns error code 2 when successfully signing files if the ssh-agent does not run. This is a problem for scripts relying on gpg return error code. I found out that the simple addition of --no-use-agent addition fixes the issue for samhainadmin.pl... See patch below.

$ sudo samhainadmin.pl -m F
--------------------------------------------------

 Please remember that yule will drop root after startup. Signature
 verification on SIGHUP will fail if you do not import the public key
 into the keyring of the non-root yule user.

--------------------------------------------------
gpg: WARNING: unsafe ownership on homedir `/home/emoret/.gnupg'

You need a passphrase to unlock the secret key for
user: "Eric Moret <XXXXXXXXXXXXXXX>"
4096-bit RSA key, ID DBC967BC, created 2005-05-11

gpg: gpg-agent is not available in this session
system /usr/bin/gpg --homedir /home/emoret/.gnupg                  -a --clearsign -o /etc/samhainrc.asc --not-dash-escaped /etc/samhainrc failed: 512 at /usr/local/sbin/samhainadmin.pl line 453.
diff -ruN samhain-2.2.2/scripts/samhainadmin.pl.in samhain-2.2.2.new/scripts/samhainadmin.pl.in
--- samhain-2.2.2/scripts/samhainadmin.pl.in    2006-04-27 13:58:46.000000000 -0700
+++ samhain-2.2.2.new/scripts/samhainadmin.pl.in        2006-07-23 17:23:05.000000000 -0700
@@ -444,12 +444,12 @@
 
     if (defined($passphrase)) {
        local $SIG{PIPE} = 'IGNORE';
-       my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --passphrase-fd 0 -a --clearsign -o $fileout --not-dash-escaped $file1";
+       my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --no-use-agent --passphrase-fd 0 -a --clearsign -o $fileout --not-dash-escaped $file1";
        open (FH, "|$command")  or die "can't fork: $!";
        print FH "$passphrase"  or die "can't write: $!";
        close FH                or die "can't close: status=$?";
     } else {
-       my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg                   -a --clearsign -o $fileout --not-dash-escaped $file1";
+       my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --no-use-agent                  -a --clearsign -o $fileout --not-dash-escaped $file1";
        system("$command") == 0 
            or die "system $command failed: $?";
     }

Change History (4)

comment:1 Changed 15 years ago by rainer

It seems that this behaviour of gpg is basically correct and only happens if GPG is set to use the gpg-agent. From lists.gnupg.org/pipermail/gnupg-users/2005-April/025551.html:

GPG error code with successful signing operation

When GPG is set to use the gpg-agent but the gpg-agent is not available (error message "gpg-agent is not available in this session" or "can't connect to `/path/to/non-existent-pipe': No such file or directory"), it produces a fatal error code of 2 even if the passphrase is successfully entered at the prompt.

comment:2 Changed 15 years ago by rainer

Rather than use --no-use-agent (which will annoy some users to hell), we should check for the problem with a function like this:

my $gpgconf = ".gnupg/gpg.conf";

if (-f $gpgconf) {

    my @array = ();
    tie @array, 'Tie::File', $gpgconf or die "Cannot tie ${gpgconf}: $!";
    my @grep = grep(/^\s*use-agent/, @array);

    # print "matches = $#grep\n";

    if ($#grep >= 0) 
    {
	if (exists $ENV{'GPG_AGENT_INFO'}) 
	{
	    my $socke = $ENV{'GPG_AGENT_INFO'};
	    $socke =~ s/:.*//;

	    # print "socke = $socke\n";

	    if (! -S $socke) 
	    {
		print "GPG is set to use gpg-agent, but ";
		print "GPG Agent is not running, though GPG_AGENT_INFO is defined.\n";
		exit 1;
	    } 
	} 
	else 
	{
	    print "GPG is set to use gpg-agent, but ";
	    print "GPG_AGENT_INFO is not defined.\n";
	    exit 1;
	}
    }
    untie @array;
}

comment:3 Changed 15 years ago by rainer

Milestone: 2.3.02.2.3

comment:4 Changed 15 years ago by rainer

Resolution: fixed
Status: newclosed

Fixed in changeset [53].

Note: See TracTickets for help on using tickets.