PyCharm fails to use the correct pinentry binary

Hi everyone,

I had some issues with PyCharm and GPG signing from the IDE.
Specifically, I had to solve by creating the ~/.gnupg/gpg-agent.conf file and then appending pinentry-program /usr/bin/pinentry-gnome3, restarting the gpg-agent with gpg-connect-agent reloadagent /bye and I was on my way.

It looks like, by default, gpg-agent does not point to the correct pinentry binary for the installed DE (in my case GNOME3).

Is this by design? Would it make sense to setup a default binary in this way for a fresh installation?

I have been using their products since many years with no issues.

You would have to confer with Jetbrains.

While the community editions is installable using the repo - those are not created by Manjaro but inherited from Arch.

To avoid issues on Manjaro - install their products using Jetbrains Toolbox app - it’s an selfinstalling app-image you can download from their web.

I meant: is by Manjaro design that there is no default pinentry binary set in the gpg-agent conf file?

I’ve installed as you suggested PyCharm using their toolbox on multiple independent machines and I’ve had to touch that file each time.

There has never been any need to set a default pin entry maybe I should say change the default pinentry.

I only remember having had to set it on a system and that was caused when having ssh-session to a remote server which also has a desktop installed - then the pinentry didn’t work when signing commits using the shell.

I consider that an edge case and not one would need for normal operation.

@psing

As I couldn’t quite understand your issue - I decided to test what you mean and I can produce a similar issue on a fresh Gnome with PyCharm Community. The solution is only one click away from the IDE.

Configure the environment → Linux tab

Set up GPG support

• Install gpg2 using a package manager that comes with your Linux distribution. The exact list of package will vary based on the distributive you are using, the most important being gnupg2, gnupg-agent, and a pinentry that shows a GUI prompt.For example, on Ubuntu/Debian, run sudo apt -y install gnupg2 gnupg-agent pinentry-gnome3.
• To verify everything is set up correctly, open the Terminal, run the gpgconf command and make sure the output is like the following:

gpg:OpenPGP:/usr/bin/gpg
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
gpgsm:S/MIME:/usr/bin/gpgsm
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry

Make sure that the pinentry shows a GUI prompt using the echo GETPIN | pinentry command.
– from Sign commits with GPG keys | PyCharm

A Manjaro installation is a get-you-started installation so in the sense of covering all possible use cases it is not complete - nor does it claim to be anything but a starting point for new adventures.

To me it makes sense - but I am biased - I create my own ISO images to have my way

In a broader perspective - perhaps - but then take into consideration that the majority of users don’t even know what gpg does. Furthermore the user’s gpg.conf is generated manally by the user as it is a security sensitive piece of the system - there should be no configuration distributed on the ISO as this would create a possible compromise of security.

I have been using Manjaro on production systems since around 2016. I am developer and does commit signing and I am a heavy user of Jetbrains tools and Git.

I have been diving into this topic - out curiosity - as one should never turn back from an opportunity to gain knowledge and it does indeed look like there’s a place for improvement.

The default pinentry is a script - and on Gnome 4 it will default to ncurses - likely because the file libgtk-x11-2.0.so.0 no longer exist.

Perhaps the pinentry package has been forgotten - who knows

$ cat /usr/bin/pinentry
#!/bin/sh

# user-defined pre-exec hook
test -r "${XDG_CONFIG_HOME:-$HOME/.config}"/pinentry/preexec &&
    . "${XDG_CONFIG_HOME:-$HOME/.config}"/pinentry/preexec

# site-defined pre-exec hook
test -r /etc/pinentry/preexec &&
    . /etc/pinentry/preexec

test -e /usr/lib/libgtk-x11-2.0.so.0 &&
    exec /usr/bin/pinentry-gtk-2 "$@"

exec /usr/bin/pinentry-curses "$@"

A system configuration option exist with /etc/pinentry/preexec which has some commented suggestions which may be useful in your situation.

$ cat /etc/pinentry/preexec 
#!/hint/sh

# Define additional functionality for pinentry. For example
#test -e /usr/lib/libgcr-base-3.so.1 && exec /usr/bin/pinentry-gnome3 "$@"
#test -e /usr/lib/libQt5Widgets.so.5 && exec /usr/bin/pinentry-qt     "$@"

Copy the folder /etc/pinentry to your home

cp -R /etc/pinentry ~/.config

Edit the file ~/.config/pinentry/preexec to use the pinentry-gnome3

#!/hint/sh

# Define additional functionality for pinentry. For example
test -e /usr/lib/libgcr-base-3.so.1 && exec /usr/bin/pinentry-gnome3 "$@"
#test -e /usr/lib/libQt5Widgets.so.5 && exec /usr/bin/pinentry-qt     "$@"

The gnupg and pinentry packages is inherited from upstream Arch and it would make sense wait for upstream changes. It appears there is an update pinentry package on the way - unfortunately - the update is not related to gtk-2 pinentry.

https://archlinux.org/packages/?q=pinentry

Perhaps it is after all worth to ask the team to take a look at it.

Pinging @Yochanan as working extensively with Gnome

Hey there! Thanks for your exhaustive answer. This is what I did step by step:

I’m having a similar issue where if I’m trying to export my gpg key while on a ssh session, it will prompt on the remote desktop using the desktop and not the terminal. This is beside the PyCharm issue though.

Before making the changes you suggested in this post. This would just prompt me to a form on the terminal. Now it works as expected without changing the default pinentry binary! It also works on PyCharm as expected.

I like adventures!

Thanks a lot.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.