gopass icon indicating copy to clipboard operation
gopass copied to clipboard

Published 20 hours ago verified publisher icon gopasspw

gpg: problem with fast path key listing: Forbidden - ignored

Open jmgilman opened this issue 2 years ago • 4 comments

Summary

When running any gopass commands that require decryption, I receive the following warning:

gpg: problem with fast path key listing: Forbidden - ignored

Steps To Reproduce

  1. Configure a new gopass vault using GPG
  2. Run any commands that require decryption (i.e. gopass show my/secret)
  3. See the warning appear

Expected behavior

I am expecting no warnings to be produced from GPG.

Environment

  • OS: NixOS
  • OS version: 22.11
  • gopass Version: 1.14.10
  • Installation method: From nixpkgs

Additional context

It's worth noting that I do not see this warning when performing other decryption actions using gpg from the CLI. I'm assuming that gopass must be doing something unique that's triggering this warning. Unfortunately, searching for the exact warning basically produces nothing.

It's also worth noting that I use gopass with a lot of other tools, namely aws-vault, and so when calling commands that rely on decryption I'm constantly seeing this warning appear. It would be nice to figure out how to make it stop.

gpg (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/josh/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpg-agent (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

jmgilman avatar Dec 22 '22 18:12 jmgilman

The code is confusing. But it looks like it's really only a warning: https://github.com/gpg/gnupg/blob/master/g10/call-agent.c#L2277

dominikschulz avatar Dec 23 '22 07:12 dominikschulz

I found this NixOS discussion. This could either be a NixOS issue or a (breaking?) change in recent GPG releases.

dominikschulz avatar Dec 27 '22 08:12 dominikschulz

I'm seeing the same message, but I cannot use GPG at all:

$ echo "test" | gpg --clear-sign
gpg: problem with fast path key listing: Forbidden - ignored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

The result is the same, with GPG_TTY set or not. Please help me get GnuPG to work; I currently need to bind-mount the ${HOME}/.gnupg directory from my host into my container :(

georglauterbach avatar Jul 21 '24 19:07 georglauterbach

This conversation in the GnuPG mailing list

https://lists.gnupg.org/pipermail/gnupg-users/2024-April/067043.html

mentions:

If you use the extra-socket certain operations are forbidden so that a rogue gpg version on the remote site won't be able to change passwords, export secret keys, or get a listing of all available secret keys. This is why you see this diagnostic.

trallnag avatar Aug 03 '24 21:08 trallnag