Does not fill in password
Closed this issue · 15 comments
Can't seem to get the extension to fill passwords.
- Visit site login page
- List of passwords shows in extension
- Select login
- Username / email field is filled with the filename of the password. Password field is left blank
I have gpg-agent and a pinentry program. I assume they are set up correctly (i.e. it works from the terminal). Dotfiles are here: https://github.com/wjdp/dotfiles
Does this happen on all login forms or just one particular web page form?
Do you see any error being displayed in the extension popup?
Can you check the output of the Chrome javascript console as see if there are any errors there too?
At this stage it is very unlikely that I can help you with this issue unless I can replicate it. Note that I have only tested this on Ubuntu 16:04 and works perfectly for me.
- All web forms
- No messages in the extension popup
- No messages in Chrome dev console
Under no illusion this is a tricky one 😄
Running Ubuntu 16.04 with the i3 window manager, this may be changing the environment slightly.
Same here:
chromium-browser --version
Chromium 58.0.3029.110 Built on Ubuntu , running on Ubuntu 16.04
and
google-chrome --version
Google Chrome 58.0.3029.110
pass:
$ pass --version
============================================
= pass: the standard unix password manager =
= =
= v1.6.5 =
= =
= Jason A. Donenfeld =
= Jason@zx2c4.com =
= =
= http://www.passwordstore.org/ =
============================================
gpg-agent:
$ gpg-agent --version
gpg-agent (GnuPG) 2.1.11
libgcrypt 1.6.5
nativePass location:
$ which nativePass
/home/users/maarten/.local/bin/nativePass
nativePass version:
$ pip3 freeze | grep pass
chrome-pass==0.2.1
chrome-pass plugin: also 0.2.1
Window manager: cinnamon (although I can't really imagine that makes a difference)
@wjdp @mrtndwrd I would need your help to debug this issue as I cannot replicate it on my system. Since you mention that the list of passwords do appears in the extension popup I assume that the extension and native pass are installed correctly. If only the password is not being filled it can only mean that the GPG decryption in the nativeApp is not working.
I just published a new version of the nativePass application that contains an additional command to test password decryption. Please install the new version:
pip3 install --user chrome-pass==0.2.2
nativePass install
With this command in place you can now run the following to get a list of credentials with decrypted passwords:
nativePass pass gmail.com
The above command will print all credentials/passwords that match gmail.com
. You can test with any credentials you have. Warning: this will output all your passwords to stdout if successful.
You may also try to test if your python3 installation is able to decrypt the passwords using the following python code:
import gnupg
import os
gpg = gnupg.GPG()
txt = open("~/.password-store/path/to/a/password.gpg", "rb")
data = gpg.decrypt_file(txt)
if data.status == "decryption ok":
password = data.data.decode('utf-8').split("\n")[0]
print("Password: %s"%password)
else:
print("Decryption failed : %s"%data.status)
The code above is the exact same code used by the nativePass application to decrypt the passwords. If that does not work then we need to find out why.
Some notes:
- The path in the open() method must be the full path to the
.gpg
file that contains the password. - Note that if decription fails (e.g. data.status is not ok) then nothing gets returned that matches the behavior you are seeing. I will change this so if there is a decode error I return an error instead.
- Not sure but if your locale is not English maybe
data.status
returns a different message? In that case I would like to know what it is returning. - The decoded data actually includes all the data inside the
.gpg
file. I simply take the first line of the file (e.g. data.decode('utf-8').split("\n")[0]). Make sure your passwords are at the first line of the gpg files.
Right. Which version of gnupg
are you using? I tried with two different versions, yielding different results:
Ubuntu default:
In [4]: gnupg.__version__
Out[4]: '0.4.1'
In [6]: import gnupg
...: import os
...:
...: gpg = gnupg.GPG()
...: txt = open("<my-key>.gpg", "rb")
...: data = gpg.decrypt_file(txt)
...: if data.status == "decryption ok":
...: password = data.data.decode('utf-8').split("\n")[0]
...: print("Password: %s"%password)
...: else:
...: print("Decryption failed : %s"%data.status)
...:
Decryption failed : decryption failed
Newest version on pip: gnupg-2.3.0
:
In [2]: gnupg.__version__
Out[2]: '2.3.0'
In [3]: import gnupg
...: import os
...:
...: gpg = gnupg.GPG()
...: txt = open("<my-key>.gpg", "rb")
...: data = gpg.decrypt_file(txt)
...: if data.status == "decryption ok":
...: password = data.data.decode('utf-8').split("\n")[0]
...: print("Password: %s"%password)
...: else:
...: print("Decryption failed : %s"%data.status)
...:
Decryption failed : None
Middle ground, newest 1.* version:
In [2]: import gnupg
...:
...: print(gnupg.__version__)
...:
...: import os
...:
...: gpg = gnupg.GPG()
...: txt = open("<my-key>.gpg", "rb")
...: data = gpg.decrypt_file(txt)
...: if data.status == "decryption ok":
...: password = data.data.decode('utf-8').split("\n")[0]
...: print("Password: %s"%password)
...: else:
...: print("Decryption failed : %s"%data.status)
...:
1.4.0
Decryption failed : decryption failed
Last thing i tried (with python gnupg 2.3.0):
In [14]: gpg = gnupg.GPG(binary="/usr/bin/gpg2", verbose="vv")
In [15]: txt = open("<my-key>.gpg", "rb")
...: data = gpg.decrypt_file(txt)
...: if data.status == "decryption ok":
...: password = data.data.decode('utf-8').split("\n")[0]
...: print("Password: %s"%password)
...: else:
...: print("Decryption failed : %s"%data.status)
...:
Decryption failed : decrypt 4294967295
I don't know what's happening here anymore.
Full disclosure: I am using a GPG smart card instead of keys that are saved on the hard drive, but as long as python-gnupg is just a wrapper around gpg2, I think that should not be a problem...
@mrtndwrd thanks for the feedback. As suspected the decryption is giving troubles for some reason. For reference I use gnupg version 0.3.9 with gpg2 binary.
If you change the nativePass code so it works with your last example does the extension work for you?
import gnupg
import os
print(gnupg.__version__)
gpg = gnupg.GPG()
txt = open(".password-store/key.gpg", "rb")
data = gpg.decrypt_file(txt)
if data.status == "decryption ok":
password = data.data.decode('utf-8').split("\n")[0]
print("Password: %s"%password)
else:
print("Decryption failed : %s"%data.status)
yields
0.4.1
Decryption failed : decryption failed
Seems same issue as @mrtndwrd. I suspect while gpg-agent is working within our shell environments when running elsewhere on the system it is not setup correctly. Beyond this I know very little about the workings of gpg.
(I mention window manager previously as using something other than Ubuntu's default forces you to do some of the setup work for tools like gpg-agent, whereas unity does this for you.)
With the nativePass tool I get ~600 lines of top level items in my pass directory like:
$ nativePass pass live.com
…
compare gov and pass score 0.0000
compare twitter.com and pass score 0.0000
compare twitter.com and pass score 0.0000
compare live.com and pass score 0.0000
compare licence and pass score 0.0000
@mrtndwrd @wjdp thanks for the debugging. Reading the documentation of gnupg python module it looks like by default it does not use gpg-agent. Also found some other details that can help improve the decoding code: https://pythonhosted.org/python-gnupg
Would you mind trying again using the following modified code?
import gnupg
import os
print(gnupg.__version__)
PASSFILE="/full/path/to/password.gpg"
gpg = gnupg.GPG(use_agent=True)
txt = open(PASSFILE, "rb")
data = gpg.decrypt_file(txt)
if data.ok:
password = data.data.decode('utf-8').split("\n")[0]
print("Password: %s"%password)
else:
print("Decryption failed : %s"%data.stderr)
When creating the gpg object try different options like gpgbinary, gnupghome, etc. And let me know the results you get.
@wjdp the output you show above is from nativePass 0.2.1 and below. On version 0.2.2 you should actually get a list of the password paths and the decrypted passwords:
pass /Services/godaddy.com/account1 [secret password]
pass /gmail.com/account002 [secret password]
....
After some more investigation it seems the python-gnupg module found in pip is a modified version of the original module. After installing that version on my machine the plugin and the test script above stopped working on my machine too.
If possible please uninstall any gnupg package you have installed on your machines and leave the default one that comes with python. Just uninstalling anything gnupg related via "pip3 uninstall" would do. Then test to see if the test script works for you.
And also I just released version 0.2.3 of the extension with some usability improvements. Now errors are shown in the popup window as they should.
I just found out yesterday I was testing with the wrong gnupg: there's python-gnupg
and gnupg
. I uninstalled everything, but then I'm unable to import gnupg from python, so I don't have the "default" you are talking about.
I installed python3-gnupg from the Ubuntu repo (apt install python3-gnupg
), which is version 0.3.8:
0.3.8
Decryption failed : [GNUPG:] ENC_TO 11DA7FF654ACA739 1 0
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
[GNUPG:] CARDCTRL 5
gpg: card reader not available
gpg: encrypted with 2048-bit RSA key, ...
gpg: public key decryption failed: general error
[GNUPG:] ERROR pkdecrypt_failed 1
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: secret key not available
[GNUPG:] END_DECRYPTION
Now I found out that this is the same problem as when I try to decrypt using gpg
instead of gpg2
:
$ gpg --decrypt <pass.gpg>
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: card reader not available
gpg: encrypted with 2048-bit RSA key, ID 0x11DA7FF654ACA739, created 2016-02-29
"Maarten de Waard <maarten@greenhost.nl>"
gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available
Tried again to set the binary to gpg2, but this time with python-gnupg
instead of gnupg
:
In [10]: import gnupg
...: import os
...:
...: print(gnupg.__version__)
...:
...: PASSFILE="/home/users/maarten/.password-store/greenhost/cosmos-accept.greenhost.nl/maarten.gpg"
...:
...: gpg = gnupg.GPG(gpgbinary="/usr/bin/gpg2", use_agent=True)
...: txt = open(PASSFILE, "rb")
...: data = gpg.decrypt_file(txt)
...: if data.ok:
...: password = data.data.decode('utf-8').split("\n")[0]
...: print("Password: %s"%password)
...: else:
...: print("Decryption failed : %s"%data.stderr)
...:
0.3.8
Password: <my password>
SUCCESSS!!!
@mrtndwrd thanks for the debugging and the MR.
In resume:
The python-gnupg package installed via pip breaks python GPG decryption. There is a recent issue about this.
Instead make sure to use the python3-gnupg package that comes by default with Ubuntu.
pip3 uninstall python-gnupg
sudo apt-get instrall python3-gnupg
Now regarding the gpg vs gpg2 binary is more complicated. I will close this issue and open a new one to track this.