Public bug reported:
(NOTE: This might very well be an upstream issue, but an upstream bug
tracker is hard to find.)
Ubuntu: 25.04
kwallet6: 6.12.0-0ubuntu1
kwalletcli: 3.03-1build2
gpg-agent: 2.4.4-2ubuntu23.1
I'm guessing this is a 'pinentry-kwallet' issue because 'gpg-agent'
works as expected when configured to use, for example, 'pinentry-qt'.
However, 'pinentry-kwallet' works fine when not called by 'gpg-agent'.
For example, this works as expected (i.e. it executes the configured
'pinentry' alternative to receive the PIN):
-------
$ echo GETPIN | pinentry-kwallet
Loading the "qt_" catalog failed for locale QLocale(C, Default, Default)
OK ready to listen to your demands
D 0000
OK
-------
This is the 'pinentry-kwallet' log for the above example:
-------
$ cat ~/pinentry-kwallet.debug
135997 === new Tue Aug 12 12:45:37 CEST 2025
135997 LOG starting coproc 0: PINENTRY_KWALLET=set '/usr/bin/pinentry' args
135997 <s OK Pleased to meet you, process 136000
135997 LOG have_sub=1
135997 >p OK ready to listen to your demands
135997 <p GETPIN
135997 LOG blacklisted
135997 >s GETPIN
135997 <s D 0000
135997 <s OK
135997 >p D 0000
135997 >p OK
135997 >s BYE
135997 <s OK closing connection
-------
=======================================
When 'gpg-agent' is configured to use 'pinentry-kwallet' from
'kwalletcli':
-------
$ grep pinentry ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-kwallet
$ echo $PINENTRY
/usr/bin/pinentry-qt
$ update-alternatives --config pinentry
There are 2 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-qt 80 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
-------
'pinentry-kwallet' fails to retrieve an entry from the KWallet store.
For example, when used to to handle SSH keys, the following happens:
-------
$ cat ~/pinentry-kwallet.debug
143539 === new Tue Aug 12 13:28:53 CEST 2025
143539 LOG argv[1]='--display'
143539 LOG argv[2]=':1'
143539 LOG starting coproc 0: PINENTRY_KWALLET=set '/usr/bin/pinentry-kwallet'
args
143542 === new Tue Aug 12 13:28:53 CEST 2025
143542 >p ERR 7 trying to call me recursively
143539 <s ERR 7 trying to call me recursively
143539 LOG have_sub=0
143539 >p OK ready to listen to your demands
143539 <p OPTION no-grab
143539 >p OK
143539 <p OPTION allow-external-password-cache
143539 >p OK
143539 <p OPTION default-ok=_OK
143539 >p OK
143539 <p OPTION default-cancel=_Cancel
143539 >p OK
143539 <p OPTION default-yes=_Yes
143539 >p OK
143539 <p OPTION default-no=_No
143539 >p OK
143539 <p OPTION default-prompt=PIN:
143539 >p OK
143539 <p OPTION default-pwmngr=_Save in password manager
143539 >p OK
143539 <p OPTION default-cf-visi=Do you really want to make your passphrase
visible on the screen?
143539 >p OK
143539 <p OPTION default-tt-visi=Make passphrase visible
143539 >p OK
143539 <p OPTION default-tt-hide=Hide passphrase
143539 >p OK
143539 <p OPTION default-capshint=Caps Lock is on
143539 >p OK
143539 <p OPTION touch-file=/run/user/1000/gnupg/S.gpg-agent
143539 >p OK
143539 <p OPTION owner=143532/1000 minis
143539 >p OK
143539 <p GETINFO flavor
143539 >p OK
143539 <p GETINFO version
143539 >p OK
143539 <p GETINFO ttyinfo
143539 >p OK
143539 <p GETINFO pid
143539 >p D 143539
143539 >p OK
143539 <p SETKEYINFO s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
143539 >p OK
143539 <p SETDESC Please enter the passphrase for the ssh key%0A
SHA256:EQTD/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(/home/rkratky/.ssh/rkratky/id_rsa)
143539 >p OK
143539 <p SETPROMPT Passphrase:
143539 >p OK
143539 <p GETPIN
143539 LOG read errcnt failed
143539 LOG read pass 1: ''
143539 >p ERR 14 no coprocess
143539 <p BYE
143539 >p OK
---------
---------
$ grep debug ~/.gnupg/gpg-agent.conf
debug-level guru
$ journalctl --user -u gpg-agent
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: sshkeys[0]: order=100015,
pubkey=0xXXXXXXXXXXXXXXXX sn=(null)
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for
request_identities (11) ready
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for sign_request
(13) started
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: agent_get_cache
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'.0 (mode 4) ...
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: ... miss
Aug 12 13:28:53 minis gpg-agent[143400]: starting a new PIN Entry
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: connection to PIN entry
established
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown GETINFO capability
flavor
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown GETINFO capability
ttyinfo
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown line 'SETKEYINFO
s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: error calling pinentry: Invalid
packet <Unspecified source>
Aug 12 13:28:53 minis gpg-agent[143539]: E: io_p_out:
/usr/bin/pinentry-kwallet[339]: print: write: Broken pipe
Aug 12 13:28:53 minis gpg-agent[143400]: failed to unprotect the secret key:
Invalid packet
Aug 12 13:28:53 minis gpg-agent[143400]: failed to read the secret key
Aug 12 13:28:53 minis gpg-agent[143400]: ssh sign request failed: Invalid
packet <Pinentry>
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for sign_request
(13) ready
Aug 12 13:28:54 minis gpg-agent[143400]: DBG: chan_13 -> RESTART
Aug 12 13:28:54 minis gpg-agent[143400]: DBG: chan_13 <- OK
Aug 12 13:28:54 minis gpg-agent[143400]: ssh handler 0xXXXXXXXXXXXX for fd 11
terminated
----------
** Affects: kwalletcli (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
(NOTE: This might very well be an upstream issue, but an upstream bug
tracker is hard to find.)
Ubuntu: 25.04
kwallet6: 6.12.0-0ubuntu1
kwalletcli: 3.03-1build2
gpg-agent: 2.4.4-2ubuntu23.1
I'm guessing this is a 'pinentry-kwallet' issue because 'gpg-agent'
works as expected when configured to use, for example, 'pinentry-qt'.
However, 'pinentry-kwallet' works fine when not called by 'gpg-agent'.
For example, this works as expected (i.e. it executes the configured
'pinentry' alternative to receive the PIN):
-------
$ echo GETPIN | pinentry-kwallet
Loading the "qt_" catalog failed for locale QLocale(C, Default, Default)
OK ready to listen to your demands
D 0000
OK
-------
This is the 'pinentry-kwallet' log for the above example:
-------
$ cat ~/pinentry-kwallet.debug
135997 === new Tue Aug 12 12:45:37 CEST 2025
135997 LOG starting coproc 0: PINENTRY_KWALLET=set '/usr/bin/pinentry' args
135997 <s OK Pleased to meet you, process 136000
135997 LOG have_sub=1
135997 >p OK ready to listen to your demands
135997 <p GETPIN
135997 LOG blacklisted
135997 >s GETPIN
135997 <s D 0000
135997 <s OK
135997 >p D 0000
135997 >p OK
135997 >s BYE
135997 <s OK closing connection
-------
=======================================
When 'gpg-agent' is configured to use 'pinentry-kwallet' from
'kwalletcli':
-------
$ grep pinentry ~/.gnupg/gpg-agent.conf
+ pinentry-program /usr/bin/pinentry-kwallet
- pinentry-program /usr/bin/pinentry-kwallet
+ $ echo $PINENTRY
+ /usr/bin/pinentry-qt
+
+ $ update-alternatives --config pinentry
+ There are 2 choices for the alternative pinentry (providing
/usr/bin/pinentry).
+
+ Selection Path Priority Status
+ ------------------------------------------------------------
+ * 0 /usr/bin/pinentry-qt 80 auto mode
+ 1 /usr/bin/pinentry-curses 50 manual mode
-------
'pinentry-kwallet' fails to retrieve an entry from the KWallet store.
For example, when used to to handle SSH keys, the following happens:
-------
$ cat ~/pinentry-kwallet.debug
143539 === new Tue Aug 12 13:28:53 CEST 2025
143539 LOG argv[1]='--display'
143539 LOG argv[2]=':1'
143539 LOG starting coproc 0: PINENTRY_KWALLET=set
'/usr/bin/pinentry-kwallet' args
143542 === new Tue Aug 12 13:28:53 CEST 2025
143542 >p ERR 7 trying to call me recursively
143539 <s ERR 7 trying to call me recursively
143539 LOG have_sub=0
143539 >p OK ready to listen to your demands
143539 <p OPTION no-grab
143539 >p OK
143539 <p OPTION allow-external-password-cache
143539 >p OK
143539 <p OPTION default-ok=_OK
143539 >p OK
143539 <p OPTION default-cancel=_Cancel
143539 >p OK
143539 <p OPTION default-yes=_Yes
143539 >p OK
143539 <p OPTION default-no=_No
143539 >p OK
143539 <p OPTION default-prompt=PIN:
143539 >p OK
143539 <p OPTION default-pwmngr=_Save in password manager
143539 >p OK
143539 <p OPTION default-cf-visi=Do you really want to make your passphrase
visible on the screen?
143539 >p OK
143539 <p OPTION default-tt-visi=Make passphrase visible
143539 >p OK
143539 <p OPTION default-tt-hide=Hide passphrase
143539 >p OK
143539 <p OPTION default-capshint=Caps Lock is on
143539 >p OK
143539 <p OPTION touch-file=/run/user/1000/gnupg/S.gpg-agent
143539 >p OK
143539 <p OPTION owner=143532/1000 minis
143539 >p OK
143539 <p GETINFO flavor
143539 >p OK
143539 <p GETINFO version
143539 >p OK
143539 <p GETINFO ttyinfo
143539 >p OK
143539 <p GETINFO pid
143539 >p D 143539
143539 >p OK
143539 <p SETKEYINFO s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
143539 >p OK
143539 <p SETDESC Please enter the passphrase for the ssh key%0A
SHA256:EQTD/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(/home/rkratky/.ssh/rkratky/id_rsa)
143539 >p OK
143539 <p SETPROMPT Passphrase:
143539 >p OK
143539 <p GETPIN
143539 LOG read errcnt failed
143539 LOG read pass 1: ''
143539 >p ERR 14 no coprocess
143539 <p BYE
143539 >p OK
---------
-
---------
$ grep debug ~/.gnupg/gpg-agent.conf
debug-level guru
$ journalctl --user -u gpg-agent
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: sshkeys[0]: order=100015,
pubkey=0xXXXXXXXXXXXXXXXX sn=(null)
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for
request_identities (11) ready
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for sign_request
(13) started
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: agent_get_cache
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'.0 (mode 4) ...
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: ... miss
Aug 12 13:28:53 minis gpg-agent[143400]: starting a new PIN Entry
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: connection to PIN entry
established
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown GETINFO capability
flavor
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown GETINFO capability
ttyinfo
Aug 12 13:28:53 minis gpg-agent[143539]: warning: unknown line 'SETKEYINFO
s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
Aug 12 13:28:53 minis gpg-agent[143400]: DBG: error calling pinentry: Invalid
packet <Unspecified source>
Aug 12 13:28:53 minis gpg-agent[143539]: E: io_p_out:
/usr/bin/pinentry-kwallet[339]: print: write: Broken pipe
Aug 12 13:28:53 minis gpg-agent[143400]: failed to unprotect the secret key:
Invalid packet
Aug 12 13:28:53 minis gpg-agent[143400]: failed to read the secret key
Aug 12 13:28:53 minis gpg-agent[143400]: ssh sign request failed: Invalid
packet <Pinentry>
Aug 12 13:28:53 minis gpg-agent[143400]: ssh request handler for sign_request
(13) ready
Aug 12 13:28:54 minis gpg-agent[143400]: DBG: chan_13 -> RESTART
Aug 12 13:28:54 minis gpg-agent[143400]: DBG: chan_13 <- OK
Aug 12 13:28:54 minis gpg-agent[143400]: ssh handler 0xXXXXXXXXXXXX for fd 11
terminated
----------
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2120443
Title:
pinentry-kwallet called recursively by gpg-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kwalletcli/+bug/2120443/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
