Problem with pinentry on Mac OSX

CCheCastaldo commented

2018-04-13 15:22:18 +02:00

(Migrated from github.com)

General information. Describe your environment

Versions
- Operating system: MAC OS 10.13.4
- Browser: Firefox 59.0.2
- PassFF: 1.3
- Host app: Current master branch

Status line output: [21:35:46] show -> gpg: decryption failed: No sec... (2)

Your preferences
- In PassFF: Defaults
- In the host app passff.py: Defaults except path to passff.py
Messages in the web console:

Actual behaviour

passff only works when pass has has recently decrypted a file in the terminal. If this is the case, passff works for any entry. If pass has not been used recently then passff can see the files in pass. However, when I click on them and select an action, nothing happens (there is no output to the web console either). I tried/confirmed:

I deleted any file passff.json in the folder NativeMessagingHosts and reinstalled the latest version of the host application. The only place on my system passff.json was installed was in the Application support folder in my home directory.
I made sure passff.py is executable and I opened passff.json and verified the path is set to the absolute path of the host executable passff.py.
I confirmed in the passff.py script that the path to pass matches its location in /usr/local/bin/pass, right where homebrew put it.
I ran echo -e "\x02\x00\x00\x00[]" | /path/to/passff.py | tail -c +4; echo and the output was similar to the empty store output plus my actual files in pass.
I know pass works just fine as I use it all the time from the command line.

Expected behaviour

passff should just work all the time and, I assume, prompt me for the passphrase within firefox? To be clear currently passff never prompts me for the passphrase to my gpg key responsible for encryption in pass.

Steps to reproduce the behaviour

Try passff and it does not work.
Decrypted a file with pass / gpg2, so I enter my passphrase.
Tried passff. It works.
Wait until pass requires the passphrase again and repeat step 3.
passff fails.

Thanks for the troubleshooting help 5btentz!

Chris

### General information. Describe your environment  - Versions - Operating system: MAC OS 10.13.4 - Browser: Firefox 59.0.2 - PassFF: 1.3 - Host app: Current master branch Status line output: `[21:35:46] show -> gpg: decryption failed: No sec... (2)`   - Your preferences - In PassFF: Defaults - In the host app `passff.py`: Defaults except path to passff.py - Messages in the web console: --- ### Actual behaviour `passff` only works when `pass` has has recently decrypted a file in the terminal. If this is the case, `passff` works for any entry. If `pass` has not been used recently then `passff` can see the files in pass. However, when I click on them and select an action, nothing happens (there is no output to the web console either). I tried/confirmed: 1. I deleted any file `passff.json` in the folder `NativeMessagingHosts` and reinstalled the latest version of the host application. The only place on my system `passff.json` was installed was in the `Application support` folder in my home directory. 2. I made sure `passff.py` is executable and I opened `passff.json` and verified the path is set to the absolute path of the host executable `passff.py`. 3. I confirmed in the `passff.py` script that the path to pass matches its location in `/usr/local/bin/pass`, right where homebrew put it. 4. I ran `echo -e "\x02\x00\x00\x00[]" | /path/to/passff.py | tail -c +4; echo` and the output was similar to the empty store output plus my actual files in pass. 5. I know pass works just fine as I use it all the time from the command line. ### Expected behaviour `passff` should just work all the time and, I assume, prompt me for the passphrase within firefox? To be clear currently `passff` never prompts me for the passphrase to my gpg key responsible for encryption in `pass`. ### Steps to reproduce the behaviour 1. Try `passff` and it does not work. 2. Decrypted a file with `pass / gpg2`, so I enter my passphrase. 3. Tried `passff`. It works. 4. Wait until `pass` requires the passphrase again and repeat step 3. 5. `passff` fails. Thanks for the troubleshooting help 5btentz! Chris

5bentz commented

2018-04-13 19:22:49 +02:00

(Migrated from github.com)

Thanks for the thorough report!
I'm sorry to tell you the problem must not be in PassFF, or at least not directly. The problem is in the interaction of PassFF with its environment: presumably gpg-agent and your pinentry program.

I understood your problem because PassFF would sometimes work. It means something keeps states of what you are doing: this is the gpg-agent. It caches your passphrase for a while.

What kind of pin-entry program are you using?

Maybe a console pinentry cannot work with PassFF since the console is run by PassFF/Python3.

Is your pinentry working when the shell is non-interactive?

You can test that with this command: change the password name and the path to your passwords

echo 'cd /path/to/.password-store; pass show passname' | at 'now + 1 minutes'

EDIT: at run the command from the standard input 1 minute from now ;)

I don't have a Mac so I cannot help much more. You are on your own 😢

Thanks for the thorough report! I'm sorry to tell you the problem must not be in PassFF, or at least not directly. The problem is in the interaction of PassFF with its environment: presumably gpg-agent and your pinentry program. I understood your problem because PassFF would *sometimes* work. It means something keeps states of what you are doing: this is the gpg-agent. It caches your passphrase for a while. #### What kind of pin-entry program are you using? Maybe a console pinentry cannot work with PassFF since the console is run by PassFF/Python3. #### Is your pinentry working when the shell is non-interactive? You can test that with this command: *change the password name and the path to your passwords* ``` echo 'cd /path/to/.password-store; pass show passname' | at 'now + 1 minutes' ``` *EDIT: `at` run the command from the standard input 1 minute from now ;)* I don't have a Mac so I cannot help much more. You are on your own :cry:

5bentz commented

2018-04-13 20:31:25 +02:00

(Migrated from github.com)

For reference, I moved the old conversation (#324) here

CCheCastaldo

I am having a similar, if not identical issue.

General information. Describe your environment
Versions
    Operating system: MAC OS 10.13.4
    Browser: Firefox 59.0.2
    PassFF: 1.3
    Host app: Current master branch
Status line output: [21:35:46] show -> gpg: decryption failed: No sec... (2)
Your preferences
    In PassFF: Defaults
    In the host app passff.py: Defaults except path to passff.py
Actual Behavior

I originally got passff to work but only intermittently. Sometimes it would connect to pass without a gpg error and I was able to goto, fill, etc. and sometimes I would get the gpg error and nothing would happen when trying to use passff. I saw this post and tried the suggestions from 5bentz and now it does not work at all. Right now, passff can see the files in pass. However, when I click on them and select an action, nothing happens (there is no output to the web console either). I tried/confirmed:

I deleted any file passff.json in the folder NativeMessagingHosts and reinstalled the latest version of the host application. This is the only location on OS X where the host application puts files according to the passff documentation.

I made sure passff.py is executable and I opened passff.json and verified the path is set to the absolute path of the host executable passff.py.

I confirmed in the passff.py script that the path to pass matches its location in /usr/local/bin/pass, right where homebrew put it.

I ran echo -e "\x02\x00\x00\x00[]" | /path/to/passff.py | tail -c +4; echo and the output was similar to the empty store output plus my actual files in pass.

I know pass works just fine as I use it all the time from the command line.

Any help would be greatly appreciated. Thanks.

Chris

5bentz

@CCheCastaldo
To be honest, your problem is not similar since you don't have the same error in the statusline. Moreover, your passff can list the files whereas OP's cannot.

This is the only location on OS X where the host application puts files according to the passff documentation.

Actually the doc seems wrong since the installer of the native host app has 2 paths for Firefox:

OS X

Per-user: ~/Library/Application Support/Mozilla/NativeMessagingHosts/passff.json

System-wide: /Library/Application Support/Mozilla/NativeMessagingHosts/passff.json

I guess you have a second path to check, while I do believe there should be nothing there.
Do a search of passff.json if you feel like doing it (find / -type f -name 'passff.json'' on GNU)

I know pass works just fine as I use it all the time from the command line.

OK.

Your error message may be [11:13:19] show -> gpg: decryption failed: No secret key (2)
I triggered this error by not entering my passphrase when I'm supposed to enter it in pinentry.

I suspect a problem with pin-entry. I do think your gpg-agent works since your passff would sometimes work.

Try passff. (It should not work: error 2)

Decrypt a file with pass / gpg2, so as to enter your passphrase. Theory: gpg-agent stores your passphrase for a while

Try passff. Theory: it will work since gpg-agent will gracefully give the pw for you

You can create a new issue.

For reference, I moved the old conversation (#324) here **CCheCastaldo** > I am having a similar, if not identical issue. > > General information. Describe your environment > > Versions > Operating system: MAC OS 10.13.4 > Browser: Firefox 59.0.2 > PassFF: 1.3 > Host app: Current master branch > > Status line output: `[21:35:46] show -> gpg: decryption failed: No sec... (2)` > > Your preferences > In PassFF: Defaults > In the host app passff.py: Defaults except path to passff.py > > Actual Behavior > > I originally got `passff` to work but only intermittently. Sometimes it would connect to pass without a gpg error and I was able to goto, fill, etc. and sometimes I would get the gpg error and nothing would happen when trying to use `passff`. I saw this post and tried the suggestions from 5bentz and now it does not work at all. Right now, `passff` can see the files in pass. However, when I click on them and select an action, nothing happens (there is no output to the web console either). I tried/confirmed: > > 1) I deleted any file `passff.json` in the folder `NativeMessagingHosts` and reinstalled the latest version of the host application. This is the only location on OS X where the host application puts files according to the `passff` documentation. > > 2) I made sure `passff.py` is executable and I opened `passff.json` and verified the path is set to the absolute path of the host executable `passff.py`. > > 3) I confirmed in the `passff.py` script that the path to pass matches its location in `/usr/local/bin/pass`, right where homebrew put it. > > 4) I ran `echo -e "\x02\x00\x00\x00[]" | /path/to/passff.py | tail -c +4; echo` and the output was similar to the empty store output plus my actual files in pass. > > 5) I know pass works just fine as I use it all the time from the command line. > > Any help would be greatly appreciated. Thanks. > > Chris **5bentz** > @CCheCastaldo > To be honest, your problem is not similar since you don't have the same error in the statusline. Moreover, your passff can list the files whereas OP's cannot. > > > This is the only location on OS X where the host application puts files according to the passff documentation. > > *Actually* the doc seems wrong since the installer of the native host app has 2 paths for Firefox: > - OS X > - Per-user: `~/Library/Application Support/Mozilla/NativeMessagingHosts/passff.json` > - System-wide: `/Library/Application Support/Mozilla/NativeMessagingHosts/passff.json` > > I guess you have a second path to check, while I do believe there should be nothing there. > Do a search of `passff.json` if you feel like doing it (`find / -type f -name 'passff.json''` on GNU) > > > I know pass works just fine as I use it all the time from the command line. > > OK. > > Your error message may be `[11:13:19] show -> gpg: decryption failed: No secret key (2)` > I triggered this error by not entering my passphrase when I'm supposed to enter it in pinentry. > > I suspect a problem with pin-entry. I do think your gpg-agent works since your passff would *sometimes* work. > > 1. Try passff. (It should not work: error 2) > 2. Decrypt a file with pass / gpg2, so as to enter your passphrase. *Theory: gpg-agent stores your passphrase for a while* > 3. Try passff. *Theory: it will work since gpg-agent will gracefully give the pw for you* > > You can create a new issue. >

CCheCastaldo commented

2018-04-14 06:11:04 +02:00

(Migrated from github.com)

Ok, I figured this out. If you use homebrew to install gnupg, it installs pinentry as a dependency. However, pinentry only runs on the command line and therefore will not work with passff. The solution is to:

brew install pinentry-mac
Add pinentry-program /usr/local/bin/pinentry-mac to ~/.gnupg/gpg-agent.conf. You may need to create this file.
Restart gpg from the terminal with gpgconf --kill gpg-agent.

Now if you use passff it will prompt you for your passphrase, which you can choose to save in the keychain if you like.

Credit to this post by Harpo Jaeger who had a similar problem with enigmail.

Chris

Ok, I figured this out. If you use homebrew to install `gnupg`, it installs `pinentry` as a dependency. However, `pinentry` only runs on the command line and therefore will not work with `passff`. The solution is to: 1. `brew install pinentry-mac` 2. Add `pinentry-program /usr/local/bin/pinentry-mac` to `~/.gnupg/gpg-agent.conf`. You may need to create this file. 3. Restart gpg from the terminal with `gpgconf --kill gpg-agent`. Now if you use `passff` it will prompt you for your passphrase, which you can choose to save in the keychain if you like. Credit to this post by [Harpo Jaeger ](http://www.harpojaeger.com/2017/09/20/enigmail-gnupg-pinentry-on-mac-os-x-using-homebrew) who had a similar problem with `enigmail`. Chris

👍 16

fuguesoft commented

2026-01-09 02:50:26 +01:00

I've followed the instructions in the comment just above mine and passff still attempts to launch the cli pinentry:

gpg: pinentry launched (84781 curses 1.3.2 not a tty - - ? 501/20 0) gpg: public key decryption failed: No such file or directory

This is on a
16" M4 Pro
MBP Nov 2024
macOS Sequoia 15.6.1
LibreWolf

As long as I decrypt the pass store beforehand, passff will work just fine
But if I don't it tries to launch the wrong pinentry even when the correct one is set in the S.gpg-agent.conf
S.gpg-agent.conf is the file that was created when I attempted to save gpg-agent.conf

I've followed the instructions in the comment just above mine and passff still attempts to launch the cli pinentry: ```sh gpg: pinentry launched (84781 curses 1.3.2 not a tty - - ? 501/20 0) gpg: public key decryption failed: No such file or directory ``` This is on a 16" M4 Pro MBP Nov 2024 macOS Sequoia 15.6.1 LibreWolf As long as I decrypt the pass store beforehand, passff will work just fine But if I don't it tries to launch the wrong pinentry even when the correct one is set in the `S.gpg-agent.conf` `S.gpg-agent.conf` is the file that was created when I attempted to save `gpg-agent.conf`

Rows
Columns

Problem with pinentry on Mac OSX #325

General information. Describe your environment

Actual behaviour

Expected behaviour

Steps to reproduce the behaviour

What kind of pin-entry program are you using?

Is your pinentry working when the shell is non-interactive?