gpg-agent says agent exists, but gpg says agent doesn't exist?

shell scripting gpg
  1. You can check the exit code of gpg-connect-agent /bye
  2. You can check whether the socket given in $GPG_AGENT_INFO exists. That should be enough but you can also check with fuser or lsof whether the process given in $GPG_AGENT_INFO is the one that has opened the socket. And if you want to be really exhaustive you can also check whether /proc/$PID/exe is a link to /usr/bin/gpg-agent (or whatever).

The running gpg agent's major version is 2. You should invoke gpg2 rather than gpg as answered here: https://unix.stackexchange.com/questions/231386/how-to-make-gpg-find-gpg-agent


So far the best workaround I have is the following hideous mess:

if ! test -v GPG_AGENT_INFO; then
    if gpg-agent 2>/dev/null; then
        if test -e /tmp/.gpg-agent-$USER/env; then
            . /tmp/.gpg-agent-$USER/env
        elif test -e ~/.gpg-agent-info; then
            . ~/.gpg-agent-info
        else
            echo 'A gpg agent is running, but we cannot find its socket info because'
            echo 'the GPG_AGENT_INFO env var is not set and gpg agent info has not been'
            echo 'written to any expected location. Cannot continue. Please report this'
            echo 'issue for investigation.'
            exit 5
        fi
    else
        mkdir /tmp/.gpg-agent-$USER
        chmod 700 /tmp/.gpg-agent-$USER
        gpg-agent --daemon --write-env-file /tmp/.gpg-agent-$USER/env
        . /tmp/.gpg-agent-$USER/env
    fi
    # The env file doesn't include an export statement
    export GPG_AGENT_INFO
else
    if ! gpg-agent 2>/dev/null; then
        echo 'GPG_AGENT_INFO is set, but cannot connect to the agent.'
        echo 'Unsure how to proceed, so aborting execution. Please report this'
        echo 'issue for investigation.'
        exit 5
    fi
fi

This will check for GPG_AGENT_INFO in the environment and if it's set, make sure gpg-agent is actually running. (I'm not yet sure how this interacts with other gpg-agent implementations like GNOME's agent). If the agent info is set but the agent is not running it doesn't know how to cope and gives up.

If the agent info isn't set it checks to see if the agent is running. If it is, it looks for the env info in a couple of well known locations and if it fails to find it, gives up.

If the agent isn't running and the agent info is unset, it starts an agent, writes the env file to a private location, and proceeds.

To say that I'm unhappy with this horrible, user-hostile and unreliable hack is an understatement.

It's very surprising that gpg, a security/crypto tool, will ignore arguments and proceed. --use-agent should be a fatal error if an agent is not running, at least optionally, much as specifying -r with an invalid recipient should be an error rather than ignored. The fact that gpg finds its agent a different way to the gpg-agent command is bewildering.


On my Ubuntu system gpg-agent is configured to write its environment file to ~/.gnupg/gpg-agent-info-$(hostname) (which is done by /etc/X11/Xsession.d/90gpg-agent). If your system doesn't do this you could modify the way the agent is started to write an environment file in a well known location which can later be sourced. For example:

$ gpg-agent --daemon --write-env-file="$HOME/.gnupg/gpg-agent-info"
$ source ~/.gnupg/gpg-agent-info

Related

How to undo assigning ownership of db_datareader/db_datawriter schema?
Is there a way to monitor /dev/random?
Can I disable WSD (Web Services for Devices) on Server 2012/R2? How?
SSH over VPN connection
Can't change the keyboard layout on Centos 7
How do I manually release a DHCP lease on the DHCP server itself?
non-cpu-intensive alternative to lsof?
Why should you not restore a DC that was backed up 6 months ago?
ECS cluster has no ecs instances but two ecs instances are visible in EC2
How to see debug logs for WireGuard (e.g. to see authentication attempts)
Prevent execution of Windows executables
Getting rsync to delete files from the *sender* after transfer