Reputation: 1005
gpg-agent forwarding: inappropriate ioctl for device
I'm trying to setup gpg-agent forwarding in order to use pass (https://www.passwordstore.org) via ssh.
gpg version 2.2.9 both on local and remote hosts, installed by instructions: https://gist.github.com/vt0r/a2f8c0bcb1400131ff51
On local machine
$HOME/.gnupg/gpg-agent.confextra-socket /home/mickey/.gnupg/S.gpg-agent.remote
echo RELOADAGENT | gpg-connect-agent
gpg --export -a mickey > mickey.gpg
echo "test" | gpg2 --encrypt -r mickey > out.gpg
scp *.gpg REMOTE_HOST:
ssh -R /run/user/1002/gnupg/S.gpg-agent:/home/mickey/.gnupg/S.gpg-agent.remote -o "StreamLocalBindUnlink=yes" REMOTE_HOST
On remote machine
Import public keygpg --import mickey.gpg
gpg --edit-key mickey
trust 5 quit
gpg --decrypt -v out.gpg
gpg: public key is FED6243A3325C554
gpg: connection to agent is in restricted mode
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: encrypted with 2048-bit RSA key, ID FED6243A3325C554, created 2018-07-23
"mickey"
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key
So, agent socket forwarding is working, seems there are some problems with pinentry program. Could not find anything that worked for me in google.
UPD
Tried to add pinentry-program /usr/bin/pinentry-tty to gpg-agent.conf, new error:
gpg: public key decryption failed: Invalid IPC response
gpg: decryption failed: No secret key
Upvotes: 83
Views: 70096
Answers (4)
Reputation: 6821
Either GPG_TTY or DISPLAY needs to be set. If both are set, DISPLAY will be used.
You can mimic this with -say-
DISPLAY="" GPG_TTY="" gpg --decrypt --armor encrypted.asc > output.txt 2>&1 < /dev/null
which will write the error to output.txt:
>cat output.txt
gpg: encrypted with elg3072 key, ID 0x6918958296941284, created 2011-01-13
"Carlo Wood <[email protected]>"
gpg: using "ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEF" as default secret key for signing
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: Inappropriate ioctl for device
Setting either DISPLAY (eg to ":0.0") or GPG_TTY (to the output of the command tty) should make this work again, despite that this gpg command has no tty.
For this reason, if you are trying to do this over ssh, you need to preserve your X environment (have a remote DISPLAY set that is tunneled back to your home machine); and that can be done by adding the -X option to ssh.
Upvotes: 0
Reputation: 3778
When running gpg from a script, the --batch argument must be provided.
Upvotes: 7
Reputation: 2952
This method does not work when you are inside an LXC container. Instead, add this to ~/.gnupg/gpg.conf:
use-agent
pinentry-mode loopback
Then add this to ~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
Then restart the agent with echo RELOADAGENT | gpg-connect-agent.
(source)
Upvotes: 45
Reputation: 3010
It happens when GPG is confused where to read input from. Simply configuring it to look for input from tty (the terminal connected to standard input) fixes it:
export GPG_TTY=$(tty)
Upvotes: 160
Related Questions
- gpg: can't connect to the agent: IPC connect call failed
- "gpg: signing failed: Inappropriate ioctl for device" on MacOS with Maven
- gpg: error Inappropriate ioctl for device
- Ubuntu 18.04 add gpg key failed with gpg-agent not found error
- maven-gpg-plugin failing with "Inappropriate ioctl for device" when running under Jenkins
- IPC Error on GPG Agent with Git on Windows
- Unable to commit to git with the gpg key error
- GPG Can't connect to S.gpg-agent: Connection Refused
- gpg-agent not found for homebrew
- can't use gpg-agent as an ssh agent