gpg-agent won't start

Hello,

Our applications called the GNUPG 1.4.2 executable and it worked without issue. We upgraded to GNUPG version 2.2.27 and now we have problems with the gpg-agent. This sometimes refuses to start. The log looks like this:

gpg-connect-agent: pas d’instance de gpg-agent en cours d’ex‚cution -ÿd‚marrage de ®ÿC:\Program Files (x86)\GnuPG\bin\gpg-agent.exeÿ¯
gpg-connect-agent: waiting for the agent to come up … (5s)
gpg-agent[3580]: Attention : « --use-standard-socket » est une option obsolète — non prise en compte
gpg-agent[3580]: erreur de lien de la socket à « C:/ProgRRQ/GnuPG/RRQGnuPG02E/S.gpg-agent » : Unknown error
gpg-connect-agent: waiting for the agent to come up … (4s)
gpg-connect-agent: waiting for the agent to come up … (3s)
gpg-connect-agent: waiting for the agent to come up … (2s)
gpg-connect-agent: waiting for the agent to come up … (1s)
gpg-connect-agent: can’t connect to the agent: chec de l’appel IPC connect
gpg-connect-agent: erreur d’envoi d’options standardsÿ: Pas d’agent en cours d’ex‚cution

• We are on Windows Server 2016 with gpg4win 3.1.15.

• We have seventeen directories (homedir) each containing the keys of a communication partner. So there can be up to 17 agents running.

• For now, after each restart of the server, I do a manual start of the seventeen agents. The starting problem is also present in manual. I use this command:
  “C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG01E /bye

• I have experimented with version 2.3.7 and the problem occurs much less often, but it is still present.

• Is our use of GNUPG 2 correct? Should we go back to the latest version 1.4?

• Here is an example of a call by one of our applications:
  “C:\Program Files (x86)\GnuPG\bin\gpg.exe” --batch --yes --display-charset utf-8 --passphrase-fd 0 --pinentry-mode loopback --verbose --ignore-mdc-error --homedir C:\ProgRRQ\GnuPG\RRQGnuPG15P -r “RQ Prod” -o “\siaechpcq02\depotsys\EE5\EE5N731_Temp\urh1vftx.scs” -d “\siaechpcq02\depotsys\EE5\EE5N731_Temp\nfbxl3yo.4nb”

Hi Christian,

while you can run several instances of gpg-agent, can you be more elaborate, why you need them? Note that gpg-agent only deals with the secret key material. And usually if there are several communication partners, you could just use the same key pair from your side for all of them, e.g. to sign a file. For the communication partners you are then using different public keys (and again, those are not managed by gpg-agent).

To make analysis easier for others, I suggest you try to get the diagnostic message in English. This makes it easier to find the place in the source code where the message originates from.
However it your case it is understandable that the socket at
C:/ProgRRQ/GnuPG/RRQGnuPG02E/S.gpg-agent » : Unknown error
cannot be created by the gpg-agent.

As it is a general error, it is not directly clear why the socket cannot be created. I take it that
it will be different directories that are tried, each for one gpg-agent. How often is: “sometime”?
Can you try to quantify it?

There must be some factor triggering the unavailability of the socket, which will be important
to understand the situation. Are you creating the sockets pretty fast? Because the operating
system may need a bit to allow a socket to be re-used.

As for which version you can or should use:
In general, the lastest modern and stable version is best, this would be Gpg4win version 4.0.3
with GnuPG 2.3.7.

As https://gnupg.org/download/index.html states, version 1.4 is only recommended for
legacy systems or key material.

Can you link to the section in the manual that you are referring to, when you say that the starting problem is in the manual?

It is hard to tell if you are using GnuPG in a good way from the infos you gave.
What are you trying to do?

Regards
Bernhard

Hi Bernhard,

Here is more information:

Q: What are you trying to do?

A: Migrate from gnupg 1.4 to gnupg 2.x in an environment where gpg.exe is called by an application to encrypt and decrypt files.

Q: while you can run several instances of gpg-agent, can you be more elaborate, why you need them?

A: This is because of the way this file transfer system was built. Note that it was implemented at least fifteen years ago with version 1.4 of GNUPG, before the agent became mandatory.

Each partner has a directory, on the server where GPG4WIN is installed, which contains its public key and our public/secret key pair specific to that partner. Each time a file received from a partner or to be sent to a partner must be encrypted/decrypted, our application calls GNUPG. The directory specific to the partner concerned by the exchange is passed in the “–homedir” parameter. Eventually, when at least one file transfer has taken place with each partner, we end up with seventeen agents in execution.

Here are the two types of commands that are used:

Decryptions:
“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --batch --yes --display-charset utf-8 --passphrase-fd 0 --pinentry-mode loopback --verbose --ignore-mdc-error --homedir C:\ProgRRQ\GnuPG\RRQGnuPG15P -r “RQ Prod” -o “\siaechpcq02\depotsys\EE5\EE5N731_Temp\dshr3n4q.h5c” -d \siaechpcq02\depotsys\EE5\EE5N731_Temp\kvhs3fev.04x

Encryptions et signature :
“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --batch --yes --display-charset utf-8 --passphrase-fd 0 --pinentry-mode loopback --verbose --ignore-mdc-error --homedir C:\ProgRRQ\GnuPG\RRQGnuPG11P -r “CLE_CSPQTEHVRRQ” -o “\siaechpcq02\depotsys\EE5\EE5N731_Temp\jm105off.ryq” -se “\SIAECHPCQ02\DepotSys\EE5\EE5N731_Temp\s0ua2xbx.b1t”

Q: Note that gpg-agent only deals with the secret key material. And usually if there are several communication partners, you could just use the same key pair from your side for all of them, e.g. to sign a file. For the communication partners you are then using different public keys (and again, those are not managed by gpg-agent).

A: I haven’t found in the documentation yet why a key pair is created for each communication partner. Maybe they wanted to avoid impacting all partners at once when replacing the key when it expires.

The files we send are signed and encrypted and the files we receive are also encrypted. So the secret key becomes necessary in any case.

Q:To make analysis easier for others, I suggest you try to get the diagnostic message in English. This makes it easier to find the place in the source code where the message originates from.

A: Is there a way to force the messages in English? I use a French OS.

Q:As it is a general error, it is not directly clear why the socket cannot be created. I take it that it will be different directories that are tried, each for one gpg-agent. How often is: “sometime”? Can you try to quantify it?

There must be some factor triggering the unavailability of the socket, which will be important to understand the situation. Are you creating the sockets pretty fast? Because the operating system may need a bit to allow a socket to be re-used.

A:Here are some tests I did:

I start the seventeen agents one after the other with a batch file to simulate the call to gnupg by the applications. I tested with a delay between commands of 3, 30 and 300 seconds. Here is an excerpt from the batch file I’m using:

@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG01E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG02E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG03E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG04E /bye
@echo %time%
…

With gnupg 2.2.27:

With a delay of 3 seconds: 5 agents have not started (3-7-8-9-13)
With a delay of 30 seconds: 5 agents have not started (1-6-7-13-15)
With a delay of 300 seconds: 4 agents did not start (9-12-13-14)

With gnupg 2.3.7:

With a delay of 3 seconds: 3 agents did not start (12-14-17)
With a delay of 30 seconds: all agents have started
With a delay of 30 seconds (second try, 5 minutes between the two tries): 1 agent did not start (7)
With a delay of 30 seconds (third try, 5 minutes between the two tries): all agents have started

Q:Can you link to the section in the manual that you are referring to, when you say that the starting problem is in the manual?

A:I meant that the agent startup problem is present both when gpg.exe is called by the application and when I simulate a call to the agent with the command “gpg-connect-agent” --homedir C: /ProgRRQ/GnuPG/RRQGnuPGxxP /bye" in a command prompt.

Regards
Christian Roy

here are the messages in English that I get when the agent fails to start:

C:\Users\S206169>“C:\Program Files (x86)\gnupg\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG16P /bye
gpg-connect-agent: no running gpg-agent - starting ‘C:\Program Files (x86)\gnupg\bin\gpg-agent.exe’
gpg-connect-agent: waiting for the agent to come up … (5s)
gpg-connect-agent: waiting for the agent to come up … (4s)
gpg-connect-agent: waiting for the agent to come up … (3s)
gpg-connect-agent: waiting for the agent to come up … (2s)
gpg-connect-agent: waiting for the agent to come up … (1s)
gpg-connect-agent: can’t connect to the gpg-agent: IPC connect call failed
gpg-connect-agent: error sending standard options: No agent running

In the log:
gpg-agent[8908]: WARNING: “–use-standard-socket” is an obsolete option - it has no effect
gpg-agent[8908]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent[8908]: error binding socket to ‘C:\Users\S209999\AppData\Local\gnupg\d.muer3x65e6swu55u\S.gpg-agent’: Unknown error
gpg-agent[8908]: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg-agent[8908]: rndjent stat: collector=0x00000000 calls=0 bytes=0
gpg-agent[8908]: secmem usage: 0/32768 bytes in 0 blocks

Hi Christian,
on Windows I do not know what the best way is to get output in English.
(On GNU/Linux systems it would be to set an environment variable for LANG=C.)
Maybe you can switch completely to English while testing on the operating system.

One solution for you could be to import all public and all secret keys
into one keyring and use one agent for all of them.
For the decryption it does not make and for encryption, you just have to make sure that
you use the right recipient for each one (and even if by accident you encrypt to someone else than intended, they would not be able to decrypt it.)

On why sockets are not started, I don’t know. In principle it could be a limitation in the network stack (or a firewall). Do the logs show that a different socket is chosen each time?
Maybe you could try to set a fixed socket and start the gpg-agent explicitely each time.

Regards,
Bernhard