No pinentry

[chrBrd]

Issue as in title.

[travier]

This is not enough information to help you here.

[Erick555]

did you have gpg-agent running as instructions?

[chrBrd]

This is not enough information to help you here.

I'm afraid there's nothing I can add that's genuinely useful. pinentry is installed on the system, gpg-agent is running.

I've even tried using --pinentry-program with a couple of different pinentry binaries when starting gpg-agent.

Issue still as in title. :)

Is there any information you suggest I provide?

[Erick555]

Do you have gpg-agent socket in /run/user/<id>/gnupg ?

It was confirmed to work in flatpak and in kleopatra specifically

https://blog.grdryn.me/blog/flatpak-emacs-with-gpg-agent.html

flathub/flathub#3182 (comment)

[chrBrd]

Do you have gpg-agent socket in/run/user/<id>/gnupg?

Yep, daemon's running just fine.

It looks like it only works with pinentry-qt[4/5] (I normally use the console mode or GNOME's).

I've just got it working by installing that and starting the daemon with:
gpg-agent --pinentry-program /usr/bin/pinentry-qt --daemon

[Keyaku]

I'm also running into this issue; using pinentry-qt as mentioned by @chrBrd solves it (or at least Kleopatra doesn't complain anymore), which means I have to put it in gpg-agent.conf.

EDIT: Apparently, using socket=gpg-agent instead of host=xdg-run/gnupg also causes this issue if Kleopatra launches the agent (i.e. if no gpg-agent was running prior to launching the app).
Using host=xdg-run/gnupg + the pinentry setting mentioned above will work.

[Erick555]

Does it work when agent is running before klepatra?

[Keyaku]

Does it work when agent is running before klepatra?

Yes, but only with the pinentry option mentioned above.

[chrBrd]

If the agent isn't running before Kleopatra then there are no certificates to encrypt or decrypt anything with; pinentry isn't really relevant.

Things have changed for me after the recent Flatpak update and pinentry-qt no longer works, but console pinentry methods now do (with caveats, see below).

I've done some brief experimenting with different pinentry options, starting Kleopatra using flatpak run -vvvv in a console.

OS: openSUSE Tumbleweed with SwayWM

Kleopatra details:
Version: 3.1.28.230805
Origin: flathub
Installation: system
Installed: 165.6 MB
Runtime: org.kde.Platform/x86_64/5.15-23.08
Sdk: org.kde.Sdk/x86_64/5.15-23.08
Commit: a9611316e6c10ca00ce0789e8916aafcfa5eba092646a2b68f8a9ffc3e5a125d

Error messages below are as shown in the 'Diagnostics' popup, eg:

gpg: signing failed: <ERROR_MSG>
gpg: -&38: sign+encrypt failed: <ERROR_MSG>

No additional information was shown in the terminal output from flatpak run... when attempting any of the below.

pinentry-[qt/qt4/qt5/gtk2]: 'No pinentry'
pinentry-gnome3: 'pinentry error'
pinentry-[curses/tty/fltk]: Works, but (on my system, might be different in a full DE) if Kleopatra isn't started from a console with flatpak run ... then the pinentry-... process will run in the background and ultimately timeout.

[gamer191]

It took me about 2 hours to figure out how to change the pinentry program kleopatra uses. For other users having this issue, the command sudo update-alternatives --config pinentry will interactively ask you which program should be the default pinentry method

Shoutout to https://unix.stackexchange.com/a/447045

EDIT: pinentry-curses doesn't seem to work "Inappropriate ioctl for device"

EDIT 2: pinentry-qt works for me. If it doesn't work, install all pinentries using sudo apt install pinentry-*, then test each of them

[orionn333]

I noticed this some months ago, but it wasn't until now that I decided to look further into the matter.

I had already configured gpg-agent to be started on system startup:
gpg-agent --pinentry-program /usr/bin/pinentry-qt --daemon

Checking the logs, I found the following:

Failed to create wl_display (No such file or directory)
qt.qpa.xcb: could not connect to display :0
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vkkhrdisplay, vnc, wayland-egl, wayland, xcb.
Process 20311 (pinentry-qt) of user 1000 terminated abnormally without generating a coredump.

So I decided to manually run pinentry-qt (typing GETPIN) and look up for problems in my host setup, but it ran successfully.

After replacing the pinentry program in gpg-agent with a custom one (so as I could inspect the env. vars.), I finally discovered what was wrong:
pinentry-qt was being invoked with the env. var. WAYLAND_DISPLAY=/run/flatpak/wayland-0.
I'm not super knowledgeable in Flatpaks or anything, so my first impression was that they don't have access to the host user wayland socket, which is expected.

When pinentry is called, the env. vars. are the ones from the Flatpak environment, and since gpg-agent is being run outside the Flatpak container, pinentry-qt cannot be launched (obviously, /run/flatpak/wayland-0 does not exist on the host).

As a workaround, I created a wrapper that sets WAYLAND_DISPLAY=wayland-0 and then calls pinentry-qt. I configured gpg-agent to use it, and now Kleopatra works as expected.

This started happening on Flatpak 1.15.6, mainly due to:

• Add support for Wayland security context (#4920 ).

Previous behaviour was:
1. If the env. var. WAYLAND_DISPLAY wasn't set, it would then set its value to "wayland-0" (which is /run/user/<user-id>/wayland-0).
2. Create a symlink, inside the sandbox, located in the expected path, according to the value of WAYLAND_DISPLAY (for "wayland-0", /run/user/<user-id>/wayland-0), and which would point to /run/flatpak/<wayland-display>, the sandboxed Wayland socket. (In the prev. ex.: /run/flatpak/wayland-0).
WAYLAND_DISPLAY remains the same.

But now:
1. A new private Wayland socket is created in the host (/run/user/<user-id>/.flatpak/wl/wayland-<XXXXXX>), which is then binded to the sandbox path /run/flatpak/<wayland-display>.
2. Inside the sandbox, WAYLAND_DISPLAY value is updated to /run/flatpak/<wayland-display>.

I have not investigated further, but from what I've seen so far, if some random env. vars. and WAYLAND_DISPLAY are modified inside the sandbox, the WAYLAND_DISPLAY value inside the sandbox will be passed to pinentry while the other variables won't. The rest of env. variables that were provided to gpg-agent are the ones passed to pinentry, no matter what was done inside the sandbox. I guess it has something to do with bwrap, but I don't know for sure.

Technically, it will also work if the wrapper is modified to call env WAYLAND_DISPLAY=/run/user/<user-id>/.flatpak/wl/wayland-<XXXXXX> pinentry-qt, but the "XXXXXX" string MUST correspond with an active socket (ideally from the “parent” Kleopatra instance). There will be different sockets for every instance of any Flatpak app (at least from the current boot), so it isn't practical at all as a workaround.

Wrapper

pinentry-wrapper.sh:

#!/usr/bin/sh
env WAYLAND_DISPLAY=wayland-0 pinentry-qt "$@"

TL;DR

With Flatpak 1.15.6 (or higher), Kleopatra invokes pinentry-qt with the environment variable WAYLAND_DISPLAY=/run/flatpak/<wayland-display>, and since pinentry runs at host level instead of within the Flatpak sandbox, it can't get access to a Wayland display.
I got Kleopatra to successfully retrieve data from pinentry-qt by creating a wrapper that sets WAYLAND_DISPLAY=wayland-0 and then calls pinentry.

[Erick555]

Please report it as regression in https://github.com/flatpak/flatpak/issues