KMyMoney: I can't open gpg-encrypted file

Paul_Worrall · May 1, 2024, 9:17am

If I create a new kmy file and save it with GPG encryption, I can’t subsequently open it with KMM.

I’m on a new Arch installation with KMM 5.1.3

STEPS:

use gpg --gen-key to generate public/private key pair
configure KMM to use GPG-Encrypted XML file storage
Create new file and save it, selecting the GPG key just created
Close KMM and reopen

RESULT:
Message saying “Cannot open file as requested”
Cannot read the file: /home/paul/Test Encrypted.kmy /usr/src/debug/kmymoney/kmymoney-5.1.3/kmymoney/plugins/xml/xmlstorage.cpp:140

I opened the file in Kate and it looks like a GPG ASCII-armored format

Edit 1: I can decrypt the file using gpg --decrypt and the resulting file opens OK in KMM

ipwizard · May 1, 2024, 2:26pm

Do you have the gpg-agent configured? You can check it with e.g. the following command:

user@host /home/user$ grep agent ~/.gnupg/gpg.conf
use-agent
user@host /home/user$

To check if it is running, one can use e.g.

user@host /home/user$ ps ax | grep gpg-agent

Paul_Worrall · May 1, 2024, 5:23pm

I created ~/.gnupg/gpg.conf:

[paul@macbookpro ~]$ cat ~/.gnupg/gpg.conf 
use-agent

and rebooted

[paul@macbookpro ~]$ ps ax|grep gpg-agent
   1767 ?        SLsl   0:00 /usr/bin/gpg-agent --supervised
   1873 pts/1    S+     0:00 grep --color=auto gpg-agent

I’m getting some messages in the journal but so far haven’t found what to do about them:

gpg-agent[1749]: failed to unprotect the secret key: Inappropriate ioctl for device
gpg-agent[1749]: failed to read the secret key
gpg-agent[1749]: command 'PKDECRYPT' failed: Inappropriate ioctl for device <Pinentry>

Paul_Worrall · May 2, 2024, 11:01am

I found two alternative solutions:

Install the gtk2 package which on Arch is an optional dependency of pinentry
Create ~/.gnupg/gpg-agent.conf with the following line:

pinentry-program /usr/bin/pinentry-qt

… and reloading gpg-agent

I would have thought that pinentry should know to use pinentry-qt under a Plasma DE, but apparently not. I wonder if the change to qt6 is the cause.

ipwizard · May 3, 2024, 6:36am

/usr/bin/pinentry is a shell script so you can take a look what it is doing and why it is not working in your environment as expected.

Paul_Worrall · May 3, 2024, 8:41am

Thanks @ipwizard, that shows how pinentry decides which password program to call. In my installation, the line which would have called /usr/bin/pinentry-qt (in a separate file sourced by pinentry) is commented out. Looks like an Arch packaging issue