Enigmail 不要求输入 pgp 密码但说没有可用的密钥

Enigmail 不要求输入 pgp 密码但说没有可用的密钥

在 thunderbird 中使用 enigmail 解密电子邮件不再有效。这是因为我没有机会输入密码,以前会弹出一个要求我输入密码的表单,但现在没有了,我收到以下消息:

错误 - 未找到匹配的私钥/密钥来解密消息;单击“详细信息”按钮获取更多信息

但是私钥是可用的,因为

gpg -d Desktop/mail.eml     

使表单出现。填写密码后,我可以在终端内阅读解密的邮件。

今天我创建新密钥时,又出现了密码问题的另一个迹象。我无法创建撤销证书,因为没有设置密码。这又不是事实。

我第一次注意到这个问题是在 8 月 31 日星期一。

我查了一下互联网然后做了以下事情:

  1. 确保 gpg-agent 实例正在运行:

    gpg-agent -v
    

    返回

    gpg-agent: gpg-agent running and available
    

    .gnupg/gpg-agent.conf 的内容:

    默认缓存 TTL 0
    最大缓存 TTL 0

  2. 转至dconf Editor desktop->gnome->crypto->cache并设置gpg-cache-ttl0

  3. Thunderbird Enigmail->Clear Saved Passphrases给出一个 Enigmail Alert 提示:

    您正在使用 gpg-agent 处理密码。因此无法从 Enigmail 中清除密码。

    Thunderbird Enigmail->Preferences->Basic Remember passphrase for 0 minutes of idle time

  4. 忘记gpg-agent我的密码:

    pkill -SIGHUP gpg-agent
    
  5. Seahorse->GnuPG keys删除所有密钥并重新导入

上述列表均对问题没有任何帮助。我想知道,如何让 Enigmail 再次询问我的密码?

提前致谢!
Bronk

编辑

  1. 删除/etc/xdg/autostart/gnome-keyring-gpg.desktop没有任何作用。
  2. 删除seahorse没有任何作用。
  3. 使用decrypt-file

    Couldn't decrypt file: mail.eml.pgp
    Bad passphrase
    

答案1

尝试这个:https://www.enigmail.net/support/gnupg2_issues.php 就我而言,我需要安装 pinentry 的图形版本(pinentry-qt4 包)。

“解决 GnuPG 2.x 和 gpg-agent 的问题

注意 GnuPG 2.x 需要“代理”来处理密码。默认情况下,这是由 gpg-agent 完成的,但还有其他工具实现了其部分功能。这些说明仅适用于 gpg-agent。如果您使用 gnome-keyring、seahorse-agent 或 KDE Wallet Manager 等代理,则这些说明不适用。最常见的问题

症状

最常见的问题是 gpg-agent(GnuPG 的一部分)无法启动 pinentry(用于查询密码的工具)。Enigmail 将显示如下消息:

when reading messages:
Error - no matching private/secret key found to decrypt message; click on 'Details' button for more information

when sending messages:
- Send operation aborted. Error - encryption command failed
- Send operation aborted. Key 0x....... not found or not valid. The (sub-)key might have expired

如何分析

Try sending a signed and unencrypted message to yourself.
Check the output in the Enimgail log: go to menu Enigmail > Debugging Options > View Log.
Search for the following text: parseErrorOutput: status message. You will probably find this message several times. Check what follows below.
If the message says something like "no pinentry", "problem with the agent", "Invalid IPC response" or "problem with gpg-agent", then there is something wrong with your gpg-agent and/or pinentry setup.

如何修复

Execute the following script from a terminal to find out if a graphical version of pinentry is used:

pinentry <<EOT
SETDESC Hello World
CONFIRM
EOT

You should get a graphical window with a confirmation message "Hello World". If a "window" is opened within your terminal window then pinentry is text-based, which does not work with Enigmail. To fix this, ensure that a graphical version of pinentry is installed. On Linux/Unix systems, these would typically be pinentry-qt/pinentry-qt4 or pinentry-gtk/pinentry-gtk2, and on Mac OS X pinentry-mac. Rename the existing pinentry file to "pinentry-text" or similar, and create a symlink from pinentry-qt, pinentry-qt4, pinentry-gtk, pinentry-gtk2 or pinentry-mac to pinentry. Then restart your PC.

If the above does not help, check the contents of $HOME/.gnupg/gpg-agent.conf. Make sure that there is a configuration entry pinentry-program containing the full path to a graphical version of pinentry as above. E.g.:

pinentry-program /usr/local/bin/pinentry-gtk

Then save the file and restart your PC.

If you still can't access your key, then execute the following script from a terminal:

gpg-connect-agent <<EOT
GETINFO version
EOT

The output should be something like the text below, where 2.0.26 represents the agent version number. The version number should match your gpg version number:

D 2.0.26
OK

If you get an error message like "ERR 280 not implemented" then you don't use gpg-agent, but one of the alternatives like gnome-keyring. We recommend you switch to gpg-agent by disabling your current agent. See e.g. askubuntu for how to disable gnome-keyring or how to disable KDE wallet.

If you get a useful result from above, then execute the following script from a terminal:

gpg-connect-agent <<EOT
GET_CONFIRMATION Hello
EOT

Pinentry should now open as a graphical window (just like above), with the difference to the step above that this instance of pinentry was launched from gpg-agent. If this is successful, then GnuPG 2 should work correctly in Enigmail.

If gpg-agent still cannot launch pinentry from Enigmail, then you need to start debugging gpg-agent. Execute the following commands from a terminal:

killall gpg-agent
gpg-agent --debug-level expert --use-standard-socket --daemon /bin/sh

This will start gpg-agent from the command line, open a new shell and print the debug output to that shell. If the command succeeded, you will see somehting like:
gpg-agent[76979]: gpg-agent 2.0.26 started
Leave the terminal window untouched, start Thunderbird and try to use Enigmail. As you'll try to access gpg-agent, you will see the output in your terminal window. If gpg-agent cannot start pinentry successfully, you will see something like this:

gpg-agent[76993]: starting a new PIN Entry
gpg-agent[76993]: chan_19 <- ERR 67109133 can't exec `/usr/bin/pinentry': No such file or directory
gpg-agent[76993]: chan_19 -> BYE
gpg-agent[76993]: can't connect to the PIN entry module: IPC connect call failed
gpg-agent[76993]: command get_passphrase failed: No pinentry

Press Ctrl+D in the terminal to end the debugging session. The bold line should tell you the reason for the error (in the example above, pinentry cannot be found). Try to fix the error and repeat the test."

答案2

我遇到了同样的问题,但发现终止 gpg-agent 是一种解决方法。

(从源代码中我发现,您可以通过编辑 ~/.thunderbird 下某个位置的“defaults/preferences/enigmail.js”文件来启用 enigmail 日志记录,将“extensions.enigmail.logDirectory”属性设置为“/tmp”。日志文件“/tmp/enigdbug.txt”随后显示 enigmail 正在运行的完整 gpg 命令,以“--use-agent”结尾。我从命令行运行该 gpg 命令,向其输入加密的电子邮件消息。它抱怨错误消息“gpg:代理问题:无 PINentry”。谷歌搜索该错误消息会出现关闭 gpg-agent 的建议。与此同时,美国国家安全局对 PKI 加密的用户体验如此糟糕而欣喜若狂。)

答案3

我遇到了类似的问题。Thunderbird 一次又一次地要求输入我的密钥密码,而 Gnome 密钥环却不记得,尽管我要求它记住。问题是,它gpg-agent没有在我的会话中运行。当我在当前会话中手动启动它时,问题消失了:

gpg-agent --debug-level expert --use-standard-socket --daemon /bin/sh

要永久解决问题,您必须确保代理在您的会话中运行:1.检查您是否有以下文件/etc/X11/Xsession.d/90gpg-agent。我的看起来像这样:

  : ${GNUPGHOME=$HOME/.gnupg}

  GPGAGENT=/usr/bin/gpg-agent
  PID_FILE="$GNUPGHOME/gpg-agent-info-$(hostname)"

  if grep -qs '^[[:space:]]*use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options" &&
     test -x $GPGAGENT &&
     { test -z "$GPG_AGENT_INFO" || ! $GPGAGENT 2>/dev/null; }; then

     if [ -r "$PID_FILE" ]; then
         . "$PID_FILE"
     fi

     # Invoking gpg-agent with no arguments exits successfully if the agent
     # is already running as pointed by $GPG_AGENT_INFO
     if ! $GPGAGENT 2>/dev/null; then
         STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP"
     fi
  fi
  1. 检查您是否拥有该文件~/.gnupg/gpg.conf,至少包含以下行:

    use-agent
    

如果没有,可以使用以下命令添加:

echo "use-agent" >>  ~/.gnupg/gpg.conf 

答案4

pinentry就我而言,除了(带指针支持的命令行)之外,我没有任何工具pinentry-curses。因此,在 Fedora 中安装以下任何密码/PIN 输入对话框:

  • pinentry-qt.x86_64基于 Qt4;
  • pinentry-gtk.x86_64基于 GTK+;
  • pinentry-emacs.x86_64对于 emacs;
  • pinentry-gnome3.x86_64适用于 GNOME 3。

我使用了 GNOME 3pinentry包。

相关内容